News

Microsoft Issues Critical Patches for Office, Windows

• By Stephen Swoyer
• 01/09/2007

Microsoft identified critical vulnerabilities in Excel, Outlook and Windows. Attackers can exploit any of these vulnerabilities to remotely run code on -- and also gain control of -- affected computers, Microsoft confirmed.

Notably absent from Microsoft's monthly patching party were fixes for no less than three Word exploits which first surfaced last month.

Nor does Tuesday's patch haul deliver on all that Microsoft originally promised in its Advance Notification Security Bulletin last Thursday.

At the time, the software giant announced plans to patch at least eight vulnerabilities -- including three flaws in its Windows operating systems, one that affects both Windows and Visual Studio, one affecting both Windows and Office, and three Office-specific flaws. Microsoft did not explain why it pulled the other promised patches.

Four Patches, Three Critical Vulnerabilities
The software giant warned of no less than five vulnerabilities in several different iterations of its Excel spreadsheet. These include an Excel Malformed IMDATA Record flaw, an Excel Malformed Record flaw, an Excel Malformed String flaw, an Excel Malformed Column Record flaw, and an Excel Malformed Palette Record flaw.

The Excel vulnerabilities have varying degrees of severity depending on which version of Office a customer has installed. Office 2000 is affected the most -- Microsoft classifies the new patch as "critical" for Excel 2000 users -- while Excel XP, Excel 2003, Excel Viewer 2003, Excel 2004 for Mac and Excel v.X for Mac are (in most cases) classified as "important."

According to Microsoft, post-Office 2000 versions of Excel are less susceptible to any of the five identified vulnerabilities because they incorporate features from its Office Document Open Confirmation Tool, which prompts users to Open, Save or Cancel before opening a document. Similarly, Excel 2000 users who have installed and enabled the Office Document Open Confirmation Tool have some additional protection against attack.

According to Microsoft, none of the new Excel vulnerabilities have yet been exploited in the wild, nor have Microsoft officials seen any examples of proof-of-concept code.

Similarly, Microsoft patched three vulnerabilities in its Outlook messaging and collaboration client.

The aggregate severity of all three vulnerabilities, in all supported versions of Outlook (Outlook 2000, Outlook 2002 and Outlook 2003), is adjudged as "critical," Microsoft said. Successful exploitation of the first vulnerability, an Outlook VEVENT flaw, could result in remote code execution in Outlook 2002 and Outlook 2003 clients (Outlook 2000 clients are not affected by this issue). The second, a denial of service vulnerability, affects all three versions of Outlook. The third, a vulnerability in Outlook's Advanced Find utility, is "critical" on Outlook 2000 and "important" on Outlook 2002 and Outlook 2003.

Microsoft also patched a remote code execution vulnerability which affects all supported versions of its Windows operating systems -- with the exception of Windows Vista.

The vulnerability stems from a flaw in Microsoft's proprietary Vector Markup Language (VML) implementation in Internet Explorer versions 5.01, 6 and 7 running on all non-Vista operating environments, officials confirmed.

An attacker could potentially exploit it by crafting a malicious Web page and inviting unsuspecting users to visit it, or by embedding malicious HTML in an e-mail message. In the latter case, an Outlook user who has HTML rendering enabled would have only to view a malicious e-mail message for the attack to be successful. On the other hand, users who have disabled HTML rendering in Outlook would be protected from attack -- unless they clicked an embedded link to visit the malicious site, of course.

Finally, Microsoft warned of an "important" vulnerability in its Office 2003 Brazilian Portuguese Grammar Checker.

Word at Risk
Notably absent from Microsoft's monthly patching party were fixes for no less than three Word exploits which first surfaced last month.

These exploits target unspecified vulnerabilities in all supported versions of Microsoft Word, along with Microsoft Works. In early December, Microsoft officials acknowledged that they were investigating rumors of Word "zero-day" exploits.

"I wanted everyone to know that we're actively investigating and monitoring all of these issues through our Software Security Incident Response Process and we are working on developing and testing security updates for the three issues, which we'll release as part of our release process once they've reached an appropriate level of quality," wrote Alexandra Huft on Microsoft's Security Response Center Blog last month.

In the interim, Microsoft suggests a rather common-sense workaround: don't open or save Word documents that you receive from untrustworthy sources, or documents you aren't expecting from (or which look suspicious when sent by) trusted sources.

Other Windows Vulnerabilities Loom
Microsoft did not provide details about the pulled Windows patches, although based on information the software giant provided last month, it's possible to speculate about at least one of them. Just before Christmas, Microsoft's Mike Reavey warned of another potential new vulnerability -- this one affecting Windows Client Server Run-Time System -- which stemmed from a public posting of actual proof-of-concept code.

"The [proof-of-concept] reportedly allows for local elevation of privilege on Windows 2000 SP4, Windows Server 2003 SP1, Windows XP SP1, Windows XP SP2 and Windows Vista operating systems," wrote Reavey on the MSRC blog. "Currently, we have not observed any public exploitation or attack activity regarding this issue. While I know this is a vulnerability that impacts Windows Vista, I still have every confidence that Windows Vista is our most secure platform to date."