News Stay informed about the latest enterprise technology news and product updates.

Inside MSRC: Microsoft Excel patches plug serious phishing risk

Microsoft's Bill Sisk explains why a number of vulnerabilities in Excel should be patched to reduce the risk of dangerous phishing attacks.

For the month of March, there are a total of four security bulletins which all have a rating of Critical. In this month's column, I am going to focus on two of the four bulletins being released in order to help you in your risk assessment and deployment strategy. First, I will cover information relating to Microsoft Office Web Components 2000, MS08-017. Secondly, I will review vulnerabilities in Microsoft Excel, MS08-014.

This bulletin addresses two vulnerabilities in Microsoft Office Web Components 2000. Microsoft Office Web Components 2000 enables the use of Microsoft Office files on a website via ActiveX controls. In particular, users can view and/or edit a Microsoft Excel file, create pivot tables views, as well as create reports. There is also a control that allows for backend data source access to which the Microsoft Excel files can connect to for data retrieval. For example, a sales and marketing team can make historical data available for users to perform analysis, real-time, in a central web location.

About Inside MSRC:
As part of a special partnership with, Bill Sisk, the response communication manager for the Microsoft Security Response Center (MSRC), offers an inside look at the process that leads up to "Patch Tuesday" and guidance to help security professionals make the most out of the software giant's security updates.

Also see:

Inside MSRC: Microsoft outlines Internet Explorer flaws

Inside MSRC: Critical Windows flaw affects XP, Vista

Inside MSRC: Message Block and queuing patches explored

Inside MSRC: Microsoft tells details about latest security advisories

With this in mind, there are two vulnerabilities, rated as Critical, in Microsoft Office Web Components 2000 that could allow an attacker, on their specially crafted webpage, to execute malicious code when a user views that webpage utilizing these vulnerable controls. Microsoft Office Web Components 2000 can be disabled if not being used in your environment by unregistering the Office Web Components 2000 Library. Detailed instructions on performing this task can be found in the bulletin under the Workarounds section. There are vast arrays of products that include these controls, so please review the bulletin for details. Most of the affected products in this particular bulletin are not detected by Microsoft Baseline Security Analyzer (MBSA) 2.0.1. However, Microsoft has worked with Shavlik Technologies to provide support for legacy security update detection. Please refer to the main MBSA website for additional information.

This bulletin addresses several Microsoft Excel vulnerabilities. Microsoft Office Excel 2000 Service Pack 3 is rated as Critical for all of the vulnerabilities addressed. The other product versions affected are rated as Important. Of the vulnerabilities, Microsoft Security Advisory 947563 is being addressed. The Advisory was originally published in mid January.

Most of the vulnerabilities addressed in this bulletin can be exploited via a malformed Microsoft Excel file sent from an attacker. When a user opens the file, malicious code is then executed on the user's system. Attackers may use social engineering methods to trick a user into opening a malicious file. "phishing" is a particularly troublesome type of social engineering to be cautious of for a vulnerability of this kind. Users of an organization may receive an email that conveys a sense of urgency so that readers will respond immediately without thinking. Indeed, the email could have the look and feel of common organizational emails such as an update from a well recognized person in the organization. With this type of threat in mind, it is important to deploy the security update as soon as possible. Admittedly, "as soon as possible" could take a number of days, or weeks, given possible testing that may be necessary for the updates before deployment. If this is the case in your situation, you may want to consider employing workarounds until you are able to apply the security update.

A workaround available for Office documents is the Microsoft Office Isolated Conversion Environment (MOICE). This environment can help reduce the effect of attacks by opening files in this isolated environment. Basically, MOICE converts binary format files into the newer Office Open XML format. Also, the conversion process runs in a very restricted manner thereby protecting the system just in case malicious code attempts execution while the file is being converted. You will know if there is a possible problem with the file if MOICE does not convert the file or the convertor crashes. In either case, MOICE is doing its job—keeping malicious code from running on the system. MOICE is a stopgap measure, so I would encourage you to install the security update when you are able to do so. Please refer to Microsoft Security Advisory 937696 for detailed information on MOICE and how to implement it.

There are four security bulletins being released for the month of March, all affecting Microsoft Office. Of the four, I reviewed MS08-017 which addresses vulnerabilities in Microsoft Office Web Components 2000, which can be implemented as ActiveX controls. As a mitigation or if not being used, Microsoft Office Web Components 2000 can be disabled. For legacy security update detection, users have the option to use Shavlik Technologies.

MS08-014 addresses several vulnerabilities in Microsoft Excel, including the vulnerability reported in Microsoft Security Advisory 947563. The Microsoft Office Isolated Conversion Environment (MOICE) can be used as a stopgap measure until the security updates can be deployed.

As always, testing the security updates on non-production machines first will help you identify issues that may arise from the security update process. For comprehensive guidance regarding testing and deployment, please review the Update Management Process.

I want to encourage you to take a moment and register for our regular monthly security bulletin Webcast, which will be held on Wednesday, March 12, at 11 a.m., PST.

Adrian Stone, lead security program manager, and I, security response communications manager, will review information about each bulletin to further aid in your planning and deployment. Immediately following the review session, we will answer your questions with information from our assembled panel of experts. If you aren't able to view the live webcast, it will also be available on-demand.

Please take a moment and mark your calendars for the April 2008, monthly bulletin. The release is scheduled for Tuesday, April 8, and the advance notification is scheduled for Thursday, April 3. Look for the April edition of this column on release day with information to help you with your planning and deployment of the most recent security bulletins.

Dig Deeper on Productivity apps and messaging security

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.