Critical fixes for Excel, Outlook and Windows

By Bill Brenner, Senior News Writer 09 Jan 2007 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

Michael Sutton, security evangelist for Atlanta-based security vendor SPI Dynamics Inc., said the most significant update is MS07-004, which fixes a flaw in the Vector Markup Language (VML) implementation within the Windows operating system.

"An attacker could exploit the vulnerability by constructing a specially crafted Web page or HTML email that could potentially allow remote code execution if a user visited the Web page or viewed the message," Microsoft said.

Sutton said the update is a big one because the flaw affects all versions of Internet Explorer (IE), including the recently-released IE 7.

"The good news is that user interaction is required for this kind of exploit to work," he said. "But when you have a huge user base like Internet Explorer, it stands to reason that someone will fall for this."

Sutton said the flaw will be a popular attack vector for bot herders looking to control as many machines as possible. He said those who are successful will be able to do whatever they want, whether it's launching spam and denial-of-service attacks or conducting phishing scams.

The other critical fixes are for flaws an attacker could exploit to "install programs, view, change or delete data; or create new accounts with full user rights," Microsoft said. They are:

MS07-002, which fixes five separate security flaws in Microsoft Excel, most of which are exploitable when the spreadsheet program parses certain files and processes malformed IMDATA, column and palette records. One of the flaws wasn't specified.

Microsoft security bulletins: Inside the MSRC: Microsoft updates WSUSSCAN issue Microsoft nixes four patch bulletins Multiple Windows patches on tap next week  Dec: Inside MSRC: Visual Studio flaw, tool extensions explained Dec: Microsoft fixes two zero-day flaws Dec: Microsoft investigates Windows Vista flaw

MS07-003, which fixes three separate flaws in Microsoft Outlook. The first flaw is exploitable when Outlook parses a file and processes a malformed VEVENT record. The second flaw is exploitable when Outlook parses an .oss file.

The third flaw is a denial-of-service condition that involves the way Outlook processes email header information. "An attacker who successfully exploited the vulnerability could send a malformed email to a user of Outlook that would cause the Outlook client to fail under certain circumstances," Microsoft said. "The Outlook client would continue to fail so long as the malformed email message remained on the email server."

A fourth security update, MS07-001, was rated important. It fixes a remote code execution vulnerability in the Microsoft Office 2003 Brazilian Portuguese Grammar Checker. An attacker could exploit the flaw when Office opens a file and parses the text, Microsoft said.

While this flaw was only rated as important, Microsoft warned that a successful attacker could do the same damage to targeted machines that could be done if one of the critical flaws were exploited.

Oliver Friedrichs, director of emerging technologies in the security response center at Cupertino, Calif.-based Symantec Corp., said in a statement that Tuesday's patch release shows that the volume of client-side vulnerabilities in Windows isn't slowing down.

"Attackers are exploiting vulnerabilities with increasing speed, and it's imperative that computer users protect themselves by installing updated software patches as quickly as possible," he said.

Tuesday's security update was only half as large as first expected. Microsoft said last week that it would release eight security updates, but decided a day later to hold off on four of them.

Asked for an explanation, a Microsoft spokesman said in an email exchange that the software giant always makes it clear in the Patch Tuesday advance bulletins that the number of bulletins, products affected, restart information and severities are subject to change until the official updates are released.

"There are many factors that impact the release of a security update, and every vulnerability presents its own unique challenges," he said, adding that Microsoft also tweaked its advance notification last month when it added MS06-078 to fix two zero-day flaws in Windows Media Player.

Tags: Security Patch Management,  Windows Security: Alerts, Updates and Best Practices,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Security Patch Management Squad: Tokenization, Phishing and the Feds Should management processes change based on a patch release schedule? Should Windows Mobile updates come from Microsoft? Adobe updates ColdFusion, JRun, Flex Trusteer CEO criticizes Adobe, touts better patch deployments Patch management study shows IT taking significant risks Vulnerability mitigation study shows need for faster patching Microsoft to issue security report card, new tool at Black Hat How to manage patches for Adobe When is it suitable to remove Java updates? Windows Security: Alerts, Updates and Best Practices Microsoft to address flaws in Windows, Office for Mac Microsoft fixes security update that breaks Internet Explorer What is the best database patch management process? Microsoft addresses critical SMBv2 flaw, fixes record number of flaws Microsoft to address SMB zero-day, IIS FTP Service vulnerabilities Microsoft releases temporary fix for SMB2 zero-day vulnerability Microsoft issues SMB vulnerability advisory, patch pending Attackers target Microsoft IIS; new SMB flaw discovered Microsoft repairs Windows media, TCP/IP vulnerabilities Microsoft five critical updates won't include IIS

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary attack vector  (SearchSecurity.com) back door  (SearchSecurity.com) ethical worm  (SearchSecurity.com) Patch Tuesday  (SearchSecurity.com) zero-day exploit  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary