Microsoft repaired a bevy of vulnerabilities in Excel, Tuesday, and warned of a new zero-day vulnerability being targeted by attackers in Internet Explorer.
The software giant issued two bulletins in March, repairing eight vulnerabilities that affect Microsoft Windows and Office. In addition, a new advisory warns of ongoing targeted attacks against an Internet Explorer zero-day vulnerability affecting IE 6 and IE 7.
The Internet Explorer advisory warned that Microsoft engineers were investigating new reports of an IE zero-day vulnerability. Users of IE 8 and those running Windows 7, Windows Vista or Windows Server 2008 are not affected by the flaw, said Jerry Bryant, senior communications manager lead at the Microsoft Security Response Center.
"We are not currently aware of any active attacks but encourage customers to review the advisory and apply the suggested workarounds where possible," Bryant said in the MSRC blog.
The advisory warns of attackers using spear phishing messages attempting to use the vulnerability in "targeted attacks." The messages attempt to get a user to click on a link leading to a malicious website. Once the victim visits the attack website, malware and other code is downloaded onto their machine, Microsoft said. The software giant issued a number of workarounds to block the attacks, including setting the Internet security zone settings to high and disabling active scripting.
Excel, Movie Maker vulnerabilities
The two bulletins issued Tuesday repairing seven flaws in Microsoft Excel and an error in Windows Movie Maker that can be used by an attacker to gain complete control of a victim's machine.
Although the bulletins were rated important, they were given a rating of 1 on the Microsoft Exploitability Index, meaning the vulnerabilities would make an attractive target to attackers and be consistently used in attacks.
MS10-017 repairs vulnerabilities affecting all currently supported versions of Microsoft Office Excel. Microsoft said the bulletin is rated important and also affects Office 2004 and Office 2008 for Mac. Excel contains several memory corruption vulnerabilities, including a heap overflow error and a file parsing flaw.
MS10-016 addresses a project file handling vulnerability in Windows Movie Maker and Microsoft Producer 2003. The hole can be exploited if a user opens a malicious Movie Maker or Microsoft Producer project file. The malicious code could create a buffer overflow condition and enable an attacker to take complete control of a machine. Microsoft's Bryant said Producer 2003, which was freely distributed, is not receiving the update.
"We recommend that customers either uninstall the application or apply an available Microsoft Fix It to disassociate the project file type from the application to add an extra layer of security," Bryant said.