Critical fixes for Excel, Outlook and Windows

By Bill Brenner, Senior News Writer 09 Jan 2007 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

Michael Sutton, security evangelist for Atlanta-based security vendor SPI Dynamics Inc., said the most significant update is MS07-004, which fixes a flaw in the Vector Markup Language (VML) implementation within the Windows operating system.

"An attacker could exploit the vulnerability by constructing a specially crafted Web page or HTML email that could potentially allow remote code execution if a user visited the Web page or viewed the message," Microsoft said.

Sutton said the update is a big one because the flaw affects all versions of Internet Explorer (IE), including the recently-released IE 7.

"The good news is that user interaction is required for this kind of exploit to work," he said. "But when you have a huge user base like Internet Explorer, it stands to reason that someone will fall for this."

Sutton said the flaw will be a popular attack vector for bot herders looking to control as many machines as possible. He said those who are successful will be able to do whatever they want, whether it's launching spam and denial-of-service attacks or conducting phishing scams.

The other critical fixes are for flaws an attacker could exploit to "install programs, view, change or delete data; or create new accounts with full user rights," Microsoft said. They are:

MS07-002, which fixes five separate security flaws in Microsoft Excel, most of which are exploitable when the spreadsheet program parses certain files and processes malformed IMDATA, column and palette records. One of the flaws wasn't specified.

Microsoft security bulletins: Inside the MSRC: Microsoft updates WSUSSCAN issue Microsoft nixes four patch bulletins Multiple Windows patches on tap next week  Dec: Inside MSRC: Visual Studio flaw, tool extensions explained Dec: Microsoft fixes two zero-day flaws Dec: Microsoft investigates Windows Vista flaw

MS07-003, which fixes three separate flaws in Microsoft Outlook. The first flaw is exploitable when Outlook parses a file and processes a malformed VEVENT record. The second flaw is exploitable when Outlook parses an .oss file.

The third flaw is a denial-of-service condition that involves the way Outlook processes email header information. "An attacker who successfully exploited the vulnerability could send a malformed email to a user of Outlook that would cause the Outlook client to fail under certain circumstances," Microsoft said. "The Outlook client would continue to fail so long as the malformed email message remained on the email server."

A fourth security update, MS07-001, was rated important. It fixes a remote code execution vulnerability in the Microsoft Office 2003 Brazilian Portuguese Grammar Checker. An attacker could exploit the flaw when Office opens a file and parses the text, Microsoft said.

While this flaw was only rated as important, Microsoft warned that a successful attacker could do the same damage to targeted machines that could be done if one of the critical flaws were exploited.

Oliver Friedrichs, director of emerging technologies in the security response center at Cupertino, Calif.-based Symantec Corp., said in a statement that Tuesday's patch release shows that the volume of client-side vulnerabilities in Windows isn't slowing down.

"Attackers are exploiting vulnerabilities with increasing speed, and it's imperative that computer users protect themselves by installing updated software patches as quickly as possible," he said.

Tuesday's security update was only half as large as first expected. Microsoft said last week that it would release eight security updates, but decided a day later to hold off on four of them.

Asked for an explanation, a Microsoft spokesman said in an email exchange that the software giant always makes it clear in the Patch Tuesday advance bulletins that the number of bulletins, products affected, restart information and severities are subject to change until the official updates are released.

"There are many factors that impact the release of a security update, and every vulnerability presents its own unique challenges," he said, adding that Microsoft also tweaked its advance notification last month when it added MS06-078 to fix two zero-day flaws in Windows Media Player.

Tags: Security Patch Management,  Windows Security: Alerts, Updates and Best Practices,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Security Patch Management Adobe fixes critical Shockwave Flash Player flaw Mozilla patches 11 Firefox security flaws, JavaScript errors Microsoft patches WebDAV security vulnerability in bevy of updates Adobe issues first quarterly patch release fixing 13 flaws Microsoft plans 10 security updates, fixing IE, Word, Excel vulnerabilities Adobe shifts to Microsoft patching process, incident response plan Software delivery could fix software patching issues Microsoft updates Office to address serious PowerPoint vulnerabilities Microsoft to patch critical PowerPoint zero-day flaw Firefox update addresses several security flaws Windows Security: Alerts, Updates and Best Practices When BIOS updates become malware attacks Microsoft patches WebDAV security vulnerability in bevy of updates Microsoft plans 10 security updates, fixing IE, Word, Excel vulnerabilities Hackers targeting unpatched Microsoft DirectShow flaw Microsoft warns of IIS zero-day vulnerability Microsoft updates Office to address serious PowerPoint vulnerabilities Microsoft to patch critical PowerPoint zero-day flaw How to perform Microsoft Baseline Security Analyzer (MBSA) scans Microsoft patches serious Excel zero-day, Windows flaws Microsoft Stirling Beta 2 release includes Exchange SaaS offering

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary attack vector  (SearchSecurity.com) back door  (SearchSecurity.com) ethical worm  (SearchSecurity.com) Patch Tuesday  (SearchSecurity.com) zero-day exploit  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary