Home > Security News > Microsoft patches 12 Office flaws with critical updates
Security News:
EMAIL THIS LICENSING & REPRINTS

Microsoft patches 12 Office flaws with critical updates

By Bill Brenner, Senior News Writer
11 Mar 2008 | SearchSecurity.com

Security Wire Daily News
Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us    Add to Google

Microsoft released four critical security updates Tuesday to fix 12 vulnerabilities in various components of its widely used Office program, including Excel and Outlook.

We've been seeing active exploits against the flaws for at least six weeks ... The exploit code is readily available for anyone who wants to weaponize it.
Andrew Storms,
director of security operations, nCircle

Tim Rains, communications chief for Microsoft Security Response, said all of this month's bulletins are for critical vulnerabilities attackers could exploit to take complete control of targeted machines. A successful attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

Cupertino, Calif.-based security vendor Symantec deemed the patch release serious enough to raise its ThreatCon from Level 1 to 2, indicating an increased risk of attack for Office users. "We urge customers to apply the available patches immediately," Symantec said in an email to customers of its DeepSight threat management service.

Andrew Storms, director of security operations at San Francisco-based security firm nCircle, said that of the four, it's most urgent for IT administrators to install MS08-014, which fixes several Microsoft Office Excel flaws attackers could exploit to launch malicious code on targeted machines when the user opens a specially crafted Excel file.

The flaws affects Microsoft Office Excel 2000 Service Pack 3 and Excel 2002 Service Pack 3; Excel 2003 Service Pack 2; Excel Viewer 2003; Excel 2007; Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats; Office 2004 for Mac and Office 2008 for Mac. Microsoft addressed the problems by modifying how the program performs validations when opening Excel files.

"This one replaces an earlier update from January and we've been seeing active exploits against the flaws for at least six weeks," Storms said. "The exploit code is readily available for anyone who wants to weaponize it."

Related news:
Inside MSRC: Microsoft Excel patches plug serious phishing risk: Microsoft's Bill Sisk explains why a number of vulnerabilities in Excel should be patched to reduce the risk of dangerous phishing attacks.

The second-most-important bulletin, in his opinion, is MS08-015, which fixes a Microsoft Office Outlook flaw attackers could exploit to launch malicious code on targeted machines when Outlook is passed a specially crafted mailto URI.

Rains said the problem affects Microsoft Office Outlook 2000 Service Pack 3, Outlook 2002 Service Pack 3; Outlook 2003 Service Pack 2 and Service Pack 3; and Outlook 2007. Microsoft addressed the problem by modifying how Outlook handles mailto URIs.

"This isn't about a malformed file flaw like the issues this month," Storms said. "The exploit would come in the body of an email instead of in an attachment. It would look like a pretty harmless email but clicking the included URL will lead to a system compromise."

The other Microsoft security bulletins for March are:

MS08-016, which fixes two flaws in Microsoft Office attackers could exploit to launch malicious code if a user opens a malformed Office file. The problem affects Microsoft Office 2000, Microsoft Office XP, Microsoft Office 2003 Service Pack 2; Microsoft Excel Viewer 2003; Microsoft Excel Viewer 2003 Service Pack 3 and Microsoft Office 2004 for Mac.

Microsoft fixed the problems by modifying how Office allocates memory.

MS08-017, which fixes two flaws in Microsoft Office Web Components attackers could exploit to infect targeted machines with malware if the user views a specially crafted Web page. Microsoft said the update is critical for those using Office Web Components 2000 on supported editions of Microsoft Office 2000 Service Pack 3, Microsoft Office XP Service Pack 3, Visual Studio .NET 2002 Service Pack 1; Visual Studio .NET 2003 Service Pack 1; Microsoft BizTalk Server 2000; Microsoft BizTalk Server 2002; Microsoft Commerce Server 2000 and Internet Security and Acceleration Server 2000 Service Pack 2.

Microsoft said it addressed the problem by modifying how Microsoft Office Web Components handles error conditions and manages memory resources, and by setting the kill bits for Microsoft Office Spreadsheet 2000 controls.



Sound Off! -   Be the first to post a message to Sound Off!


Tags: Securing Productivity ApplicationsWindows Vista SecurityWindows XP and Server SecurityVIEW ALL TAGS

Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us    Add to Google


TechTarget Security Media
Information Security View this month\\'s issue and subscribe today.
Information Security Decisions Apply online for free conference admission.
SearchSecurity.com
HomeNewsMagazineWebcastsWhite PapersLearningAdviceTopicsEventsAbout Us
SEARCH :     Advanced Search | Site Index Powered by: Search Powered by Google

About Us  |  Contact Us  |  For Advertisers  |  For Business Partners  |  Site Index  |  RSS
TechTarget provides enterprise IT professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective IT purchase decisions and managing their organizations' IT projects - with its network of technology-specific Web sites, events and magazines.

TechTarget Corporate Web Site  |  Media Kits  |  Reprints  |  Site Map




All Rights Reserved, Copyright 2003 - 2008, TechTarget | Read our Privacy Policy 		  TechTarget - The IT Media ROI Experts