News
Microsoft Issues Critical Patches for Office, Windows
- By Stephen Swoyer
- January 09, 2007
Microsoft Corp. started the new year by announcing four new patches that address
not-so-new vulnerabilities in several flavors of its Office and Windows products.
Microsoft identified critical vulnerabilities in Excel, Outlook and Windows.
Attackers can exploit any of these vulnerabilities to remotely run code on --
and also gain control of -- affected computers, Microsoft confirmed.
Notably absent from Microsoft's monthly patching party were fixes for no less
than three
Word exploits which first surfaced last month.
Nor does Tuesday's patch haul deliver on all that Microsoft originally promised
in its Advance Notification Security Bulletin last Thursday.
At the time, the software giant announced plans
to patch at least eight vulnerabilities -- including three flaws in its
Windows operating systems, one that affects both Windows and Visual Studio,
one affecting both Windows and Office, and three Office-specific flaws. Microsoft
did not explain why it pulled the other promised patches.
Four Patches, Three Critical Vulnerabilities
The software giant warned of no less than five vulnerabilities in several different
iterations of its Excel spreadsheet. These include an Excel Malformed IMDATA
Record flaw, an Excel Malformed Record flaw, an Excel Malformed String flaw,
an Excel Malformed Column Record flaw, and an Excel Malformed Palette Record
flaw.
The Excel vulnerabilities have varying degrees of severity depending on which
version of Office a customer has installed. Office 2000 is affected the most
-- Microsoft classifies the new patch as "critical" for Excel 2000
users -- while Excel XP, Excel 2003, Excel Viewer 2003, Excel 2004 for Mac and
Excel v.X for Mac are (in most cases) classified as "important."
According to Microsoft, post-Office 2000 versions of Excel are less susceptible
to any of the five identified vulnerabilities because they incorporate features
from its Office Document Open Confirmation Tool, which prompts users to Open,
Save or Cancel before opening a document. Similarly, Excel 2000 users who have
installed and enabled the Office Document Open Confirmation Tool have some additional
protection against attack.
According to Microsoft, none of the new Excel vulnerabilities have yet been
exploited in the wild, nor have Microsoft officials seen any examples of proof-of-concept
code.
Similarly, Microsoft patched
three vulnerabilities in its Outlook messaging and collaboration client.
The aggregate severity of all three vulnerabilities, in all supported versions
of Outlook (Outlook 2000, Outlook 2002 and Outlook 2003), is adjudged as "critical,"
Microsoft said. Successful exploitation of the first vulnerability, an Outlook
VEVENT flaw, could result in remote code execution in Outlook 2002 and Outlook
2003 clients (Outlook 2000 clients are not affected by this issue). The second,
a denial of service vulnerability, affects all three versions of Outlook. The
third, a vulnerability in Outlook's Advanced Find utility, is "critical"
on Outlook 2000 and "important" on Outlook 2002 and Outlook 2003.
Microsoft also patched
a remote code execution vulnerability which affects all supported versions
of its Windows operating systems -- with the exception of Windows Vista.
The vulnerability stems from a flaw in Microsoft's proprietary Vector Markup
Language (VML) implementation in Internet Explorer versions 5.01, 6 and 7 running
on all non-Vista operating environments, officials confirmed.
An attacker could potentially exploit it by crafting a malicious Web page and
inviting unsuspecting users to visit it, or by embedding malicious HTML in an
e-mail message. In the latter case, an Outlook user who has HTML rendering enabled
would have only to view a malicious e-mail message for the attack to be successful.
On the other hand, users who have disabled HTML rendering in Outlook would be
protected from attack -- unless they clicked an embedded link to visit the malicious
site, of course.
Finally, Microsoft warned of an "important"
vulnerability in its Office 2003 Brazilian Portuguese Grammar Checker.
Word at Risk
Notably absent from Microsoft's monthly patching party were fixes for no less
than three
Word exploits which first surfaced last month.
These exploits target unspecified vulnerabilities in all supported versions
of Microsoft Word, along with Microsoft Works. In early December, Microsoft
officials acknowledged that they were investigating
rumors of Word "zero-day" exploits.
"I wanted everyone to know that we're actively investigating and monitoring
all of these issues through our Software Security Incident Response Process
and we are working on developing and testing security updates for the three
issues, which we'll release as part of our release process once they've reached
an appropriate level of quality," wrote Alexandra Huft on Microsoft's Security
Response Center Blog last month.
In the interim, Microsoft suggests a rather common-sense workaround: don't
open or save Word documents that you receive from untrustworthy sources, or
documents you aren't expecting from (or which look suspicious when sent by)
trusted sources.
Other Windows Vulnerabilities Loom
Microsoft did not provide details about the pulled Windows patches, although
based on information the software giant provided last month, it's possible to
speculate about at least one of them. Just before Christmas, Microsoft's Mike
Reavey warned of another potential new vulnerability -- this one affecting Windows
Client Server Run-Time System -- which stemmed from a public posting of actual
proof-of-concept code.
"The [proof-of-concept] reportedly allows for local elevation of privilege
on Windows 2000 SP4, Windows Server 2003 SP1, Windows XP SP1, Windows XP SP2
and Windows Vista operating systems," wrote Reavey on the MSRC blog. "Currently,
we have not observed any public exploitation or attack activity regarding this
issue. While I know this is a vulnerability that impacts Windows Vista, I still
have every confidence that Windows Vista is our most secure platform to date."