As expected, Microsoft only released two security updates Tuesday, but those updates seal a variety of holes attackers could exploit to hijack workstations and run malicious code. One is a critical update for Microsoft Office while the other is an "important" fix for Windows.
The critical update fixes a half dozen different flaws in Microsoft Office that attackers could exploit to take control of client workstations. "An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights," the software giant said. Attackers could do this by:
- Constructing a specially crafted Excel file with a malformed range;
- Constructing a specially crafted Excel file with a malformed parsing format;
- Constructing a specially crafted Excel file using a malformed description;
- Constructing a specially crafted Excel file using a malformed graphic;
- Constructing a specially crafted Excel file using a malformed record; or by
- Constructing a specially crafted routing slip within an Office document.
Microsoft said this fix replaces several prior security updates. The replaced updates are outlined in the advisory.
"All the vulnerabilities come down to the same issue: If you open a malformed file, an attacker could get control of the system as the user opening the file," The Bethesda, Md.-based SANS Internet Storm Center said on its Web site Tuesday afternoon. "If you use Microsoft Office, you should apply this patch quickly."
The important update fixes a privilege elevation vulnerability in Windows.
"On Windows 2003, permissions on the identified services are set to a level that may allow a user that belongs to the network configuration operators group to change properties associated with the service," Microsoft said. "The vulnerability could allow a user with valid logon credentials to take complete control of the system on Microsoft Windows XP Service Pack 1."
As it did with the critical update, the Internet Storm Center offered its own description of the flaw: "It may be possible for a regular user to obtain the privileges assigned to a service. A lower-privileged user could change the configuration for a service in order to have it execute code or modify the system in other ways, once the service is running at the higher privilege."
The storm center added, "It is important to note that a 'service' is not just a 'server.' Services typically have to run at a higher privilege level as they require access to files across multiple users, and access to system resources."
Last month Microsoft issued seven security updates. Two critical flaws addressed in those updates affect Media Player and Internet Explorer.
Last week Microsoft was forced to issue a technical advisory warning that customers who apply some recent Windows Media Player 10 patches -- including one issued last month -- may experience the following issues when trying to seek, rewind or fast forward:
- The position slider may jump back to the start of the media file.
- Content playback may freeze, even though the status shows that the content is playing.
Microsoft offered these workarounds:
- If the server is running Microsoft Windows Server 2003 Service Pack 1 (SP1), disable the Advanced Fast Start feature on the publishing point.
- Make sure that the server-side playlist does not use the "clipBegin" element.