Microsoft Patches 12 Critical Flaws in Office
Published: March 12, 2008
by Alex Woodie
Microsoft yesterday issued four patches that fix 12 critical security vulnerabilities in Excel, Outlook, and other Office components that attackers could exploit to take total control of affected PCs. One zero-day flaw was also identified that hackers have already started exploiting, and another flaw could provide a pathway for infecting users with malicious ads served by otherwise secure Web sites. The monthly patch roundup continues the trend that has seen hackers probing for flaws in client-side applications, instead of problems with servers.
The monster patch for March is Security Bulletin MS08-014, which identifies and resolves seven security vulnerabilities in all recent versions of Excel except for Excel 2007 Service Pack 1 (SP1) and Excel 2003 SP3. This patch fixes a range of recently discovered problems with the way Excel imports, parses, validates, and formats files.
The most dangerous of the seven deadly flaws is the Excel Macro Validation Vulnerability, a zero-day vulnerability discovered by researchers at SAIC and VeriSign that hackers have started using to compromise computers over the Internet. It is believed by Microsoft that none of the other vulnerabilities, which were privately reported to Microsoft by researchers at iDefenseLabs, JFE Systems, Fortinet, TippingPoint DVLabs, and WebSense Labs, have been used to compromise PCs.
A critical security flaw affecting every version of Outlook since Outlook 2000 was fixed with Security Bulletin MS08-015. A problem with the way Outlook validates mailto URIs could allow an attacker to take total control of a computer if the victim is tricked into visiting a malicious Web site. Microsoft says this flaw, which was discovered by iDefenseLabs, is not currently being exploited.
More Excel flaws were patched with Security Bulletin MS08-016. This patch fixes two remote code execution vulnerabilities in recent versions of Excel (except for Excel 2007), including the Office Cell Parsing Memory Corruption Vulnerability and the Office Memory Corruption Vulnerability, both of which can be remotely executed to take over control of a PC. While one of the flaws was reported to Microsoft by the Zero Day Initiative (the other reporter wished to remain anonymous), neither one of these flaws are considered zero- day flaws.
The final patch of the month is Security Bulletin MS08-017, which fixes two critical remote code execution flaws in the Office Web Components 2000 and assorted other products that use that piece of software, including Office XP, Visual Studio .NET 2002 and 2003, BizTalk Server 2000 and 2002, Commerce Server 2000, and ISA Server 2000. Neither of these flaws, which were reported to Microsoft by VigiliantMinds, NCNIPC, and Finjan, are being exploited in the wild, according to Microsoft.
The flaws patched by MS08-017 could potentially have a serious impact even on legitimate Web sites, according to Sheldon Malm, director of vulnerability research for nCircle. "Microsoft even describes how a malicious banner [advertisement] could exploit one vulnerability, so a user visiting a popular, secure Web page that happens to display third-party ads could easily lead to exploitation and allow hackers to take complete control of a user's system," Malm says.
The recent spate of client-side vulnerabilities in products from Microsoft and other software vendors over the last few months raises questions about how organizations should protect themselves in this evolving security landscape, says Amol Sarwate, manager of the vulnerability research lab at security software company Qualys.
"These attacks are especially nefarious as there is no simple traditional security approach, such as a blocking an incoming traffic port, that would be able to detect and prevent its delivery to the intended recipient," Sarwate says. "Rather, prevention relies heavily on end-user education and regular system patching."
Microsoft's TechNet Security Center will hold a Webcast today at 11 a.m. PDT to discuss the latest patches. For more information and to register for the Webcast, go to www.microsoft.com/technet/security/default.mspx.
Surf's Up for Web-Based Organized Crime, IBM X-Force Says
Bleak Outlook for Information Security, According to Researchers
In Search Of a More Secure Internet
Security Attacks and Breaches on the Rise
MPack Hacker Tool Claims 10,000 Compromised Web Sites
Post this story to del.icio.us
Post this story to Digg
Post this story to Slashdot