Home > Security News > Critical fixes for Excel, Outlook and Windows
Security News:
EMAIL THIS LICENSING & REPRINTS

Critical fixes for Excel, Outlook and Windows

By Bill Brenner, Senior News Writer
09 Jan 2007 | SearchSecurity.com

Security Wire Daily News
Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us    Add to Google

Microsoft patched 10 security flaws in its Excel, Outlook and Windows programs Tuesday in its first monthly security update of the year. Three bulletins addressed critical problems attackers could exploit to take complete control of targeted machines, while one was rated as important.

Michael Sutton, security evangelist for Atlanta-based security vendor SPI Dynamics Inc., said the most significant update is MS07-004, which fixes a flaw in the Vector Markup Language (VML) implementation within the Windows operating system.

"An attacker could exploit the vulnerability by constructing a specially crafted Web page or HTML email that could potentially allow remote code execution if a user visited the Web page or viewed the message," Microsoft said.

Sutton said the update is a big one because the flaw affects all versions of Internet Explorer (IE), including the recently-released IE 7.

"The good news is that user interaction is required for this kind of exploit to work," he said. "But when you have a huge user base like Internet Explorer, it stands to reason that someone will fall for this."

Sutton said the flaw will be a popular attack vector for bot herders looking to control as many machines as possible. He said those who are successful will be able to do whatever they want, whether it's launching spam and denial-of-service attacks or conducting phishing scams.

The other critical fixes are for flaws an attacker could exploit to "install programs, view, change or delete data; or create new accounts with full user rights," Microsoft said. They are:

MS07-002, which fixes five separate security flaws in Microsoft Excel, most of which are exploitable when the spreadsheet program parses certain files and processes malformed IMDATA, column and palette records. One of the flaws wasn't specified.
Microsoft security bulletins:

Inside the MSRC: Microsoft updates WSUSSCAN issue

Microsoft nixes four patch bulletins

Multiple Windows patches on tap next week 

Dec: Inside MSRC: Visual Studio flaw, tool extensions explained

Dec: Microsoft fixes two zero-day flaws

Dec: Microsoft investigates Windows Vista flaw

MS07-003, which fixes three separate flaws in Microsoft Outlook. The first flaw is exploitable when Outlook parses a file and processes a malformed VEVENT record. The second flaw is exploitable when Outlook parses an .oss file.

The third flaw is a denial-of-service condition that involves the way Outlook processes email header information. "An attacker who successfully exploited the vulnerability could send a malformed email to a user of Outlook that would cause the Outlook client to fail under certain circumstances," Microsoft said. "The Outlook client would continue to fail so long as the malformed email message remained on the email server."

A fourth security update, MS07-001, was rated important. It fixes a remote code execution vulnerability in the Microsoft Office 2003 Brazilian Portuguese Grammar Checker. An attacker could exploit the flaw when Office opens a file and parses the text, Microsoft said.

While this flaw was only rated as important, Microsoft warned that a successful attacker could do the same damage to targeted machines that could be done if one of the critical flaws were exploited.

Oliver Friedrichs, director of emerging technologies in the security response center at Cupertino, Calif.-based Symantec Corp., said in a statement that Tuesday's patch release shows that the volume of client-side vulnerabilities in Windows isn't slowing down.

"Attackers are exploiting vulnerabilities with increasing speed, and it's imperative that computer users protect themselves by installing updated software patches as quickly as possible," he said.

Tuesday's security update was only half as large as first expected. Microsoft said last week that it would release eight security updates, but decided a day later to hold off on four of them.

Asked for an explanation, a Microsoft spokesman said in an email exchange that the software giant always makes it clear in the Patch Tuesday advance bulletins that the number of bulletins, products affected, restart information and severities are subject to change until the official updates are released.

"There are many factors that impact the release of a security update, and every vulnerability presents its own unique challenges," he said, adding that Microsoft also tweaked its advance notification last month when it added MS06-078 to fix two zero-day flaws in Windows Media Player.

Sound Off! -   Be the first to post a message to Sound Off!


Tags: Patch ManagementWindows XP and Server SecurityWindows Vista SecurityVIEW ALL TAGS

Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us    Add to Google


TechTarget Security Media
Information Security View this month\\'s issue and subscribe today.
Information Security Decisions Apply online for free conference admission.
SearchSecurity.com
HomeNewsMagazineWebcastsWhite PapersLearningAdviceTopicsEventsAbout Us
SEARCH :     Advanced Search | Site Index Powered by: Search Powered by Google

About Us  |  Contact Us  |  For Advertisers  |  For Business Partners  |  Site Index  |  RSS
TechTarget provides enterprise IT professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective IT purchase decisions and managing their organizations' IT projects - with its network of technology-specific Web sites, events and magazines.

TechTarget Corporate Web Site  |  Media Kits  |  Reprints  |  Site Map




All Rights Reserved, Copyright 2003 - 2008, TechTarget | Read our Privacy Policy 		  TechTarget - The IT Media ROI Experts