two
Volume 5, Number 10 -- March 12, 2008

Microsoft Patches 12 Critical Flaws in Office

Published: March 12, 2008

by Alex Woodie

Microsoft yesterday issued four patches that fix 12 critical security vulnerabilities in Excel, Outlook, and other Office components that attackers could exploit to take total control of affected PCs. One zero-day flaw was also identified that hackers have already started exploiting, and another flaw could provide a pathway for infecting users with malicious ads served by otherwise secure Web sites. The monthly patch roundup continues the trend that has seen hackers probing for flaws in client-side applications, instead of problems with servers.

The monster patch for March is Security Bulletin MS08-014, which identifies and resolves seven security vulnerabilities in all recent versions of Excel except for Excel 2007 Service Pack 1 (SP1) and Excel 2003 SP3. This patch fixes a range of recently discovered problems with the way Excel imports, parses, validates, and formats files.

The most dangerous of the seven deadly flaws is the Excel Macro Validation Vulnerability, a zero-day vulnerability discovered by researchers at SAIC and VeriSign that hackers have started using to compromise computers over the Internet. It is believed by Microsoft that none of the other vulnerabilities, which were privately reported to Microsoft by researchers at iDefenseLabs, JFE Systems, Fortinet, TippingPoint DVLabs, and WebSense Labs, have been used to compromise PCs.

A critical security flaw affecting every version of Outlook since Outlook 2000 was fixed with Security Bulletin MS08-015. A problem with the way Outlook validates mailto URIs could allow an attacker to take total control of a computer if the victim is tricked into visiting a malicious Web site. Microsoft says this flaw, which was discovered by iDefenseLabs, is not currently being exploited.

More Excel flaws were patched with Security Bulletin MS08-016. This patch fixes two remote code execution vulnerabilities in recent versions of Excel (except for Excel 2007), including the Office Cell Parsing Memory Corruption Vulnerability and the Office Memory Corruption Vulnerability, both of which can be remotely executed to take over control of a PC. While one of the flaws was reported to Microsoft by the Zero Day Initiative (the other reporter wished to remain anonymous), neither one of these flaws are considered zero- day flaws.

The final patch of the month is Security Bulletin MS08-017, which fixes two critical remote code execution flaws in the Office Web Components 2000 and assorted other products that use that piece of software, including Office XP, Visual Studio .NET 2002 and 2003, BizTalk Server 2000 and 2002, Commerce Server 2000, and ISA Server 2000. Neither of these flaws, which were reported to Microsoft by VigiliantMinds, NCNIPC, and Finjan, are being exploited in the wild, according to Microsoft.

The flaws patched by MS08-017 could potentially have a serious impact even on legitimate Web sites, according to Sheldon Malm, director of vulnerability research for nCircle. "Microsoft even describes how a malicious banner [advertisement] could exploit one vulnerability, so a user visiting a popular, secure Web page that happens to display third-party ads could easily lead to exploitation and allow hackers to take complete control of a user's system," Malm says.

The recent spate of client-side vulnerabilities in products from Microsoft and other software vendors over the last few months raises questions about how organizations should protect themselves in this evolving security landscape, says Amol Sarwate, manager of the vulnerability research lab at security software company Qualys.

"These attacks are especially nefarious as there is no simple traditional security approach, such as a blocking an incoming traffic port, that would be able to detect and prevent its delivery to the intended recipient," Sarwate says. "Rather, prevention relies heavily on end-user education and regular system patching."

Microsoft's TechNet Security Center will hold a Webcast today at 11 a.m. PDT to discuss the latest patches. For more information and to register for the Webcast, go to www.microsoft.com/technet/security/default.mspx.


RELATED STORIES

Surf's Up for Web-Based Organized Crime, IBM X-Force Says

Bleak Outlook for Information Security, According to Researchers

In Search Of a More Secure Internet

Security Attacks and Breaches on the Rise

MPack Hacker Tool Claims 10,000 Compromised Web Sites


                     Post this story to del.icio.us
               Post this story to Digg
    Post this story to Slashdot

Sponsored By
MKS

Meet Your IT Audit and Compliance Demands with MKS

One Seamless Solution for System i and Distributed Application Lifecycle Management

Are you struggling to meet IT audit and compliance demands?
Do you need traceability over software change?

When Pennsylvania Housing Finance Agency (PHFA) needed to achieve compliance, they turned to MKS for traceability over their software change. MKS Integrity enforces their development process and brings end to end traceability to their System i and distributed development operations.

Read the PHFA story.

MKS can help you establish and enforce any software process or workflow, and manage software change from project start to finish. With MKS you can ensure that the application you develop is deployed securely and that only authorized changes go into production.

For auditing and compliance needs, it doesn't get any better than MKS.

For more info, visit http://www.mks.com/itjungle/weareone or call 1 800 613 7535.

Make the Move to MKS now and SAVE!

For a limited time MKS will help you make the move from your existing software change and configuration management solution, with special pricing when you purchase Implementer with MKS Integrity - giving you integrated workflow, complete audit trails and coverage of the application lifecycle as well as a platform to manage both System i and cross-platform development.

Visit the Products section of www.mks.com for more information on Implementer and MKS Integrity.

Click here to request more information on our time limited "change up" offer.

The time is now to make the switch.

Call MKS today at 1-800-613-7535 to discuss your options, and while you're at it,
request a FREE change management process assessment by our team of experts
with over 40 years of experience in the midrange market.

Contact MKS Sales at 1-800-613-7535 or sales@mks.com
Editor: Alex Woodie
Contributing Editors: Dan Burger, Joe Hertvik,
Shannon O'Donnell, Timothy Prickett Morgan
Publisher and Advertising Director: Jenny Thomas
Advertising Sales Representative: Kim Reed
Contact the Editors: To contact anyone on the IT Jungle Team
Go to our contacts page and send us a message.

Sponsored Links

COMMON:  Join us at the annual 2008 conference, March 30 - April 3, in Nashville, Tennessee
Vision Solutions:  A Rewind Button for AIX Data? Read the Whitepaper
NowWhatJobs.net:  NowWhatJobs.net is the resource for job transitions after age 40
 
 

IT Jungle Store Top Book Picks

Getting Started with PHP for i5/OS: List Price, $59.95
The System i RPG & RPG IV Tutorial and Lab Exercises: List Price, $59.95
The System i Pocket RPG & RPG IV Guide: List Price, $69.95
The iSeries Pocket Database Guide: List Price, $59.00
The iSeries Pocket Developers' Guide: List Price, $59.00
The iSeries Pocket SQL Guide: List Price, $59.00
The iSeries Pocket Query Guide: List Price, $49.00
The iSeries Pocket WebFacing Primer: List Price, $39.00
Migrating to WebSphere Express for iSeries: List Price, $49.00
iSeries Express Web Implementer's Guide: List Price, $59.00
Getting Started with WebSphere Development Studio for iSeries: List Price, $79.95
Getting Started With WebSphere Development Studio Client for iSeries: List Price, $89.00
Getting Started with WebSphere Express for iSeries: List Price, $49.00
WebFacing Application Design and Development Guide: List Price, $55.00
Can the AS/400 Survive IBM?: List Price, $49.00
The All-Everything Machine: List Price, $29.95
Chip Wars: List Price, $29.95
 
The Four Hundred
IBM Readies Big Power6 Boxes, New X64 Servers

System i Security: Lots of Room for Improvement

Server Virtualization and Consolidation Require More Resiliency

Thermometer Money: Changing a Business Partner Paradigm

Arrow Buys French Midrange Distributor

The Linux Beacon
AMD Says Barcelona Bug Is Fixed, Almost Ready to Ramp

HPC Sales Account for Most of 2007's Server Sales Growth

IBM Readies Big Power6 Boxes, New X64 Servers

Canonical Ships Landscape System Management Tool for Ubuntu

Surf's Up for Web-Based Organized Crime, IBM X-Force Says

Four Hundred Stuff
Solidcore Supports i5/OS with Real-Time Change Control

Vision to Support IBM's HASM Technology in Clustering Software

CodeGear Offers a Rational Alternative for System i Development

TDCI Hooks Product Configurator into i5/OS ERP

Fax Added to System i VoIP Solutions

Big Iron
Making the Case for System z10 Server Consolidation

Top Mainframe Stories From Around the Web

Chats, Webinars, Seminars, Shows, and Other Happenings

Four Hundred Guru
Performance Advice from a Mysterious Friend

Don't Let SQL Name Your Baby, Take 2

Admin Alert: When System i Ethernet Cards Stop Broadcasting

System i PTF Guide
March 8, 2008: Volume 10, Number 10

March 1, 2008: Volume 10, Number 9

February 23, 2008: Volume 10, Number 8

February 16, 2008: Volume 10, Number 7

February 9, 2008: Volume 10, Number 6

February 2, 2008: Volume 10, Number 5

The Unix Guardian
AMD Says Barcelona Bug Is Fixed, Almost Ready to Ramp

Linux and Windows Server Sales Outpace the Market in Q4

MetaRAM Quadruples DDR2 Memory Capacity in Servers

Mad Dog 21/21: Plane's Peeking

Infinite Software Partners with HP, Acquires Altos Technology Group

Four Hundred Monitor
Four Hundred Monitor's
Full iSeries Events Calendar

THIS ISSUE SPONSORED BY:

MKS
Vibrant Technologies
IT Security
Storage Guardian
Guild Companies


Printer Friendly Version


TABLE OF CONTENTS
Microsoft Patches 12 Critical Flaws in Office

AMD Says Barcelona Bug Is Fixed, Almost Ready to Ramp

IBM Hurls $1 Billion at Unified Communications Target

Mad Dog 21/21: Plane's Peeking

OpenXML-ODF Interoperability Goal of Microsoft Initiative

But Wait, There's More:
Yahoo Moves to Block Proxy Battle in Microsoft Takeover Bid . . . Sun and Microsoft Make Interoperability Overtures . . . AIIM Survey Shows Companies Starting to Wrestle with Document Chaos . . . IBM Slashes Prices on Blade Server I/O Virtualization Software . . . Gartner Gives Annual Report Cards to Server Makers . . .

The Windows Observer

BACK ISSUES





 
Subscription Information:
You can unsubscribe, change your email address, or sign up for any of IT Jungle's free e-newsletters through our Web site at http://www.itjungle.com/sub/subscribe.html.

Copyright © 1996-2008 Guild Companies, Inc. All Rights Reserved.
Guild Companies, Inc., 50 Park Terrace East, Suite 8F, New York, NY 10034

Privacy Statement