Microsoft released four critical security updates Tuesday to fix 12 vulnerabilities in various components of its widely used Office program, including Excel and Outlook.
Tim Rains, communications chief for Microsoft Security Response, said all of this month's bulletins are for critical vulnerabilities attackers could exploit to take complete control of targeted machines. A successful attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
Cupertino, Calif.-based security vendor Symantec deemed the patch release serious enough to raise its ThreatCon from Level 1 to 2, indicating an increased risk of attack for Office users. "We urge customers to apply the available patches immediately," Symantec said in an email to customers of its DeepSight threat management service.
Andrew Storms, director of security operations at San Francisco-based security firm nCircle, said that of the four, it's most urgent for IT administrators to install MS08-014, which fixes several Microsoft Office Excel flaws attackers could exploit to launch malicious code on targeted machines when the user opens a specially crafted Excel file.
The flaws affects Microsoft Office Excel 2000 Service Pack 3 and Excel 2002 Service Pack 3; Excel 2003 Service Pack 2; Excel Viewer 2003; Excel 2007; Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats; Office 2004 for Mac and Office 2008 for Mac. Microsoft addressed the problems by modifying how the program performs validations when opening Excel files.
"This one replaces an earlier update from January and we've been seeing active exploits against the flaws for at least six weeks," Storms said. "The exploit code is readily available for anyone who wants to weaponize it."
The second-most-important bulletin, in his opinion, is MS08-015, which fixes a Microsoft Office Outlook flaw attackers could exploit to launch malicious code on targeted machines when Outlook is passed a specially crafted mailto URI.
Rains said the problem affects Microsoft Office Outlook 2000 Service Pack 3, Outlook 2002 Service Pack 3; Outlook 2003 Service Pack 2 and Service Pack 3; and Outlook 2007. Microsoft addressed the problem by modifying how Outlook handles mailto URIs.
"This isn't about a malformed file flaw like the issues this month," Storms said. "The exploit would come in the body of an email instead of in an attachment. It would look like a pretty harmless email but clicking the included URL will lead to a system compromise."
The other Microsoft security bulletins for March are:
MS08-016, which fixes two flaws in Microsoft Office attackers could exploit to launch malicious code if a user opens a malformed Office file. The problem affects Microsoft Office 2000, Microsoft Office XP, Microsoft Office 2003 Service Pack 2; Microsoft Excel Viewer 2003; Microsoft Excel Viewer 2003 Service Pack 3 and Microsoft Office 2004 for Mac.
Microsoft fixed the problems by modifying how Office allocates memory.
MS08-017, which fixes two flaws in Microsoft Office Web Components attackers could exploit to infect targeted machines with malware if the user views a specially crafted Web page. Microsoft said the update is critical for those using Office Web Components 2000 on supported editions of Microsoft Office 2000 Service Pack 3, Microsoft Office XP Service Pack 3, Visual Studio .NET 2002 Service Pack 1; Visual Studio .NET 2003 Service Pack 1; Microsoft BizTalk Server 2000; Microsoft BizTalk Server 2002; Microsoft Commerce Server 2000 and Internet Security and Acceleration Server 2000 Service Pack 2.
Microsoft said it addressed the problem by modifying how Microsoft Office Web Components handles error conditions and manages memory resources, and by setting the kill bits for Microsoft Office Spreadsheet 2000 controls.