News Stay informed about the latest enterprise technology news and product updates.

Microsoft repairs Excel flaws, warns of new IE vulnerability

Two bulletins address eight vulnerabilities in Microsoft Windows and Office. Internet Explorer advisory warns of new zero-day being used in targeted attacks.

Microsoft repaired a bevy of vulnerabilities in Excel, Tuesday, and warned of a new zero-day vulnerability being targeted by attackers in Internet Explorer.

We are not currently aware of any active attacks but encourage customers to review the advisory and apply the suggested workarounds where possible.
Jerry Bryant,
senior communications manager leadMicrosoft Security Response Center

The software giant issued two bulletins in March, repairing eight vulnerabilities that affect Microsoft Windows and Office. In addition, a new advisory warns of ongoing targeted attacks against an Internet Explorer zero-day vulnerability affecting IE 6 and IE 7.

The Internet Explorer advisory warned that Microsoft engineers were investigating new reports of an IE zero-day vulnerability. Users of IE 8 and those running Windows 7, Windows Vista or Windows Server 2008 are not affected by the flaw, said Jerry Bryant, senior communications manager lead at the Microsoft Security Response Center.

Microsoft updates:
Feb. - Microsoft patches SMB flaws, Hyper-V problem in big update: Microsoft issued 13 bulletins, patching more than two dozen flaws across its product line, including critical Server Message Block flaws and a hypervisor DoS vulnerability.

Jan. - Microsoft issues critical security update, blocks IE 6 attacks: Microsoft issued an emergency patch today blocking ongoing attacks against corporate networks that have been exploiting a vulnerability in Internet Explorer 6.

Jan. - Microsoft releases Windows OpenType Font Engine patch: Lone security bulletin is critical for Windows 2000 users.

Dec. - Microsoft gives Internet Explorer a major security overhaul: The final regular Microsoft update of 2009 repairs five critical vulnerabilities in IE and blocks public exploit code, which surfaced in November.

"We are not currently aware of any active attacks but encourage customers to review the advisory and apply the suggested workarounds where possible," Bryant said in the MSRC blog.

The advisory warns of attackers using spear phishing messages attempting to use the vulnerability in "targeted attacks." The messages attempt to get a user to click on a link leading to a malicious website. Once the victim visits the attack website, malware and other code is downloaded onto their machine, Microsoft said. The software giant issued a number of workarounds to block the attacks, including setting the Internet security zone settings to high and disabling active scripting.

Excel, Movie Maker vulnerabilities
The two bulletins issued Tuesday repairing seven flaws in Microsoft Excel and an error in Windows Movie Maker that can be used by an attacker to gain complete control of a victim's machine.

Although the bulletins were rated important, they were given a rating of 1 on the Microsoft Exploitability Index, meaning the vulnerabilities would make an attractive target to attackers and be consistently used in attacks.

MS10-017 repairs vulnerabilities affecting all currently supported versions of Microsoft Office Excel. Microsoft said the bulletin is rated important and also affects Office 2004 and Office 2008 for Mac. Excel contains several memory corruption vulnerabilities, including a heap overflow error and a file parsing flaw.

MS10-016 addresses a project file handling vulnerability in Windows Movie Maker and Microsoft Producer 2003. The hole can be exploited if a user opens a malicious Movie Maker or Microsoft Producer project file. The malicious code could create a buffer overflow condition and enable an attacker to take complete control of a machine. Microsoft's Bryant said Producer 2003, which was freely distributed, is not receiving the update.

"We recommend that customers either uninstall the application or apply an available Microsoft Fix It to disassociate the project file type from the application to add an extra layer of security," Bryant said.

Dig Deeper on Microsoft Windows security

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.