Microsoft Patch Tuesday Fixes A Dozen Office Flaws - InformationWeek
Software // Enterprise Applications
05:17 PM
Connect Directly
Faster, More Effective Response With Threat Intelligence & Orchestration Playboo
Aug 31, 2017
Finding ways to increase speed, accuracy, and efficiency when responding to threats should be the ...Read More>>

Microsoft Patch Tuesday Fixes A Dozen Office Flaws

Security researchers suggest client-side vulnerabilities are more likely to bear fruit for hackers than the server side vulnerabilities.

Microsoft on Tuesday fixed 12 vulnerabilities in four security bulletins, all of which affect Microsoft Office.

The fact that all the vulnerabilities found reside in Microsoft Office, said Eric Schultze, chief technology officer of Shavlik Technologies, supports the current belief that client-side vulnerabilities are more likely to bear fruit for hackers than the server side vulnerabilities.

MS08-014 (maximum severity of Critical) addresses a zero-day vulnerability in Microsoft Office Excel that Microsoft acknowledged in January. It could allow an attacker to take over an affected system if the victim opens a maliciously crafted Excel file.

Amol Sarwate, manager of the vulnerability research lab at Qualys, said that macro vulnerabilities in Excel have been a recurring problem for about a decade. While exploits for the Excel flaw have been spotted in the wild, he said that damage appears to be relatively limited. He also said it's difficult to be sure about that because not all damage arising from exploitation of the vulnerability has been publicized.

The usual method of exploiting this kind of flaw is enticing a user to open a file. "This is a concern because there's no simple firewall adjustment that can address this," Sarwate said.

MS08-015 (maximum severity of Critical) addresses a new, privately reported vulnerability in Microsoft Office Outlook. The flaw could allow an attacker to read and re-route a user's e-mail messages.

Schultze considers this vulnerability the most interesting of this month's crop. "This is the first one I'd patch because it's exploiting something that's never been exploited before," he said.

MS08-015 allows an attacker to execute remote code through Outlook if the victim clicks on a maliciously crafted "mailto:" link. "Users have never had to watch out to malicious e-mail links before," said Schultze. "I think we'll see this get exploited quite a bit."

MS08-016 (maximum severity of Critical) repairs two new, privately reported vulnerabilities in Microsoft Office 2000. The vulnerabilities could allow an attacker to subvert an affected system.

MS08-017 (maximum severity of Critical) fixes two new, privately reported vulnerabilities in Microsoft Office Web Components. As above, these flaws could allow attacker to take control of an affected system.

The four bulletins affect various versions of Microsoft Office. In the case of MS08-014, Mac versions of Office 2004 and Office 2008 are also affected.

Andrew Storms, director of security operations at nCircle, said this month's patch cycle represented a "shining example" of mitigating Microsoft Office vulnerabilities. He noted that Office users without administrative privileges won't be affected by these flaws as much as users running with full privileges.

Storms also said that Microsoft's newer Office apps appear to be less vulnerable than its older ones. "When the support line for Office 2000 and Office 2003 drop off the board, we're probably going to see a pretty significant reduction in Office vulnerability," he said.

"Microsoft has been doing something right," said Schultze. "Over time, the apps are getting better and stronger. It shows a trend toward Microsoft getting better at this."

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
[Interop ITX 2017] State Of DevOps Report
[Interop ITX 2017] State Of DevOps Report
The DevOps movement brings application development and infrastructure operations together to increase efficiency and deploy applications more quickly. But embracing DevOps means making significant cultural, organizational, and technological changes. This research report will examine how and why IT organizations are adopting DevOps methodologies, the effects on their staff and processes, and the tools they are utilizing for the best results.
Register for InformationWeek Newsletters
White Papers
Current Issue
IT Strategies to Conquer the Cloud
Chances are your organization is adopting cloud computing in one way or another -- or in multiple ways. Understanding the skills you need and how cloud affects IT operations and networking will help you adapt.
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Flash Poll