February 12th, 2008
Microsoft delivers 11 patches, 6 critical; Excel flaw left unpatched
Updated: Microsoft delivered 11 patches on Tuesday addressing 17 vulnerabilities. Six updates fix critical flaws and five address important vulnerabilities, but an already exploited Excel zero day was left unpatched.
Microsoft’s advisory last week noted 12 patches fixing 7 critical vulnerabilities. One critical Windows vulnerability was cut due to quality issues.
A Microsoft spokesman did confirm that this batch of patches didn’t address the Excel flaw that was reported last month. On Jan. 16, the Microsoft Security Response Center confirmed ongoing attacks against Excel. Microsoft at the time recommended that users either run files through a tool that strips out exploit code or block Office 2003 and earlier formats except for those from trusted locations.
Given that Excel resides in every enterprise leaving the flaw unpatched may raise some hackles. A Microsoft spokesman indicated that the Excel patch wasn’t ready for prime time. Here’s Microsoft’s statement sent to me:
Microsoft is always investigating potential and existing vulnerabilities in an effort to help protect our customers. Creating security updates that effectively fix vulnerabilities is an extensive process involving a series of sequential steps. There are many factors that impact the length of time between the discovery of a vulnerability and the release of a security update, and every vulnerability presents its own unique challenges. When a potential vulnerability is reported, designated product specific security experts investigate the scope and impact of a threat on the affected product. Once the MSRC knows the extent and the severity of the vulnerability, they work to develop an update for every supported version affected. Once the update is built, it must be tested with the different operating systems and applications it affects, then localized for many markets and languages across the globe. In some instances, multiple vendors are affected by the same or similar issue, which requires a coordinated release.
Among the more notable February patches for critical flaws:
MS08-008: Microsoft addressed a vulnerability in Vista’s OLE automation that could allow for a remote code execution. Microsoft said: This security update addresses the vulnerability by adding a check on memory requests within OLE Automation. Affected software includes Windows 2000, Windows XP, Windows Vista, Microsoft Office 2004 for the Mac and Visual Basic 6.
MS08-009: This patch addressed a vulnerability in Word that could allow a remote code execution. Microsoft noted: “An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.” Affected software included Office 2000, Office 2003 and Office Word Viewer 2003.
MS08-007: Another XP and Vista patch. This patch fixes the WebDAV Mini-Redirector. In a nutshell, it’s another avenue to take control of a system, install programs and do other things.
MS08-010: This update fixes multiple flaws in IE that allow for remote code executions. Microsoft said: “The security update addresses these vulnerabilities by modifying the way that Internet Explorer handles HTML and validates data, as well as by setting the kill bit for an ActiveX control.” Stray thought: You could just kill ActiveX.
MS08-012: This update resolves a remote code execution flaw in Microsoft Office Publisher. Affects Microsoft Office Publisher 2000; supported releases of Microsoft Office Publisher 2002; and supported editions of Microsoft Office Publisher 2003 Service Pack 2.
MS08-013: Microsoft’s update here covers a remote code execution vulnerability in Office 2000. It’s an important update for Microsoft Office XP, Microsoft Office 2003 and Microsoft Office 2004 for Mac.
Larry Dignan is Editor in Chief of ZDNet and Editorial Director of ZDNet sister site TechRepublic. See his full profile and disclosure of his industry affiliations.
| 02/12/08
