security.itworld.com
  Search  
Security Home Page Security Webcasts Security White Papers Security Newsletters Security News Security Topics Careers ITworld Voices ITwhirled The Security site of ITworld.com

Microsoft security updates focus on Office

 IDG News Service 3/12/08

Robert McMillan, IDG News Service, San Francisco Bureau

Microsoft has released critical security patches for its Office software, fixing a flaw in Excel that had been exploited by attackers for the past two months.

On this topic
Cisco to patch routers on regular schedule
Microsoft releases massive set of security updates
Microsoft preps 7 critical security updates
Five Security Mistakes to Avoid
Top 10 Ways to Protect Against Web Threats
Multi-layer Spam Defense Architectural Overview
Reputation-Based Email Security
Get practical tips, IT news, how-tos, and the best in tech humor.

The bug fixes were released Tuesday in four software updates for Excel, Outlook, Office 2000 and Office's Web components. Microsoft rates all of the updates as critical, meaning that an attacker could theoretically exploit these flaws in order to hack into a victim's computer.

In total, 12 vulnerabilities are fixed in the four updates.

Typically Microsoft includes bug fixes for Windows or Internet Explorer in its monthly security updates, and security experts said Tuesday that this is the first time they could remember Microsoft focusing the patches exclusively on Office.

It's a sign of the times, according to Paul Zimski, senior director of market strategy with Lumension.

Between 2006 and 2007 the number of attacks targeting Office software doubled, he said. "Malicious entities are looking toward Office as a vector for delivering malicious code," he said. "You can't really mitigate against Office: organizations can't block Office attachments and Office documents are generally trusted by users."

Although all of Tuesday's updates are critical, system administrators will want to pay special attention to MS08-014, because it fixes a publicly disclosed flaw that hackers have been exploiting for several months now. "This is the long awaited patch for the Excel zero day issue first reported in mid-January 2008," said Eric Schultze, chief security architect with Shavlik Technologies, via instant message. "Angst-ridden computer users can now sleep easy knowing that they can now open malicious Excel documents without fear of being hacked."

"Patch this one as soon as possible if you visit illicit Web sites or open malformed Excel documents on a regular basis," he added.

This previously disclosed bug affects users of Excel 2000, 2002 and 2003, and Service Pack 2, although customers with Excel 2007 or Excel 2003, Service Pack 3 are not at risk, according to Microsoft.

Another update to watch is the MS08-015 patch, which contains a flaw that could be easily exploited by attackers. By tricking the victim into clicking on a specially crafted "mailto" Web link, an attacker could "install programs; view, change, or delete data; or create new accounts with full user right," Microsoft said in its security bulletin.

These types of bugs, called URI (Uniform Resource Identifier) handling flaws, have been increasingly studied by hackers and security researchers over the past year, and they have led to a number of effective Web-based attacks.

Schultze said that he would patch the MS08-015 update before all others. That's because, while users may now be learning to hesitate before opening untrusted Office documents, they generally don't think twice about clicking on a Web link.

"Clicking on the email link can allow the attacker to run code on your system, assuming that you have Microsoft Outlook," Schultze said. "There would be very little way to know ahead of time whether or not the mail link was evil. I expect we'll see exploit code for this very shortly."

The two other security updates fix critical flaws in Office and in the Office Web Components ActiveX controls used by products such as Office, BizTalk Server, Commerce Server, and the Internet Security and Acceleration (ISA) Server.

Bob McMillan is Senior writer for the IDG News Service.
Sponsored Links

Closing the Gap Between Patient and Caregiver
Optical network solutions from AT&T provide scalable, secure bandwidth to keep the health care provider and the patient connected, despite increasing network traffic.
See how EASY REMOTE SUPPORT can be. Try WebEx FREE!
DELIVER SUPPORT MORE EFFICIENTLY. Remotely Control Applications. Leap Securely through Firewalls!
TAKE CONTROL OF REMOTE COMPUTERS
Support, configure and install applications and updates remotely for greater efficiency.
SOLVE SUPPORT ISSUES on the First Call!
REMOTELY CONTROL AND CONFIGURE SYSTEMS. Easily install applications, updates. All from your Desktop!
IMPROVE YOUR SUPPORT EFFICIENCY
WebEx lets you remotely control, configure and install applications and updates more efficiently.
» Buy a link now

Advertisements
Sponsored links
KODAK i1400 Series Scanners stand up to the challenge
Bring harmony to your mix of UNIX-Linux-Windows computing environments
Top 5 Reasons to Combine App Performance and Security
Locate Hidden Software on business PCs with this free tool
Home  Defensive measures Tactical Patching
www.itworld.com    open.itworld.com     security.itworld.com     smallbusiness.itworld.com
storage.itworld.com     utilitycomputing.itworld.com     wireless.itworld.com

 
Contact Us   About Us   Privacy Policy    Terms of Service   Reprints  

CIO   Computerworld   CSO   GamePro   Games.net   IDG Connect   IDG World Expo   Infoworld   ITworld   JavaWorld   LinuxWorld  MacUser   Macworld   Network World   PC World   Playlist  

Copyright © Computerworld, Inc. All rights reserved

Reproduction in whole or in part in any form or medium without express written permission of Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.