Software // Enterprise Applications
05:17 PM
Connect Directly
DarkReading Virtual Event: Re-Thinking IT Security Strategy
Nov 15, 2016
Despite enterprises spending more money annually on cybersecurity defense than ever before, the nu ...Read More>>

Microsoft Patch Tuesday Fixes A Dozen Office Flaws

Security researchers suggest client-side vulnerabilities are more likely to bear fruit for hackers than the server side vulnerabilities.

Microsoft on Tuesday fixed 12 vulnerabilities in four security bulletins, all of which affect Microsoft Office.

The fact that all the vulnerabilities found reside in Microsoft Office, said Eric Schultze, chief technology officer of Shavlik Technologies, supports the current belief that client-side vulnerabilities are more likely to bear fruit for hackers than the server side vulnerabilities.

MS08-014 (maximum severity of Critical) addresses a zero-day vulnerability in Microsoft Office Excel that Microsoft acknowledged in January. It could allow an attacker to take over an affected system if the victim opens a maliciously crafted Excel file.

Amol Sarwate, manager of the vulnerability research lab at Qualys, said that macro vulnerabilities in Excel have been a recurring problem for about a decade. While exploits for the Excel flaw have been spotted in the wild, he said that damage appears to be relatively limited. He also said it's difficult to be sure about that because not all damage arising from exploitation of the vulnerability has been publicized.

The usual method of exploiting this kind of flaw is enticing a user to open a file. "This is a concern because there's no simple firewall adjustment that can address this," Sarwate said.

MS08-015 (maximum severity of Critical) addresses a new, privately reported vulnerability in Microsoft Office Outlook. The flaw could allow an attacker to read and re-route a user's e-mail messages.

Schultze considers this vulnerability the most interesting of this month's crop. "This is the first one I'd patch because it's exploiting something that's never been exploited before," he said.

MS08-015 allows an attacker to execute remote code through Outlook if the victim clicks on a maliciously crafted "mailto:" link. "Users have never had to watch out to malicious e-mail links before," said Schultze. "I think we'll see this get exploited quite a bit."

MS08-016 (maximum severity of Critical) repairs two new, privately reported vulnerabilities in Microsoft Office 2000. The vulnerabilities could allow an attacker to subvert an affected system.

MS08-017 (maximum severity of Critical) fixes two new, privately reported vulnerabilities in Microsoft Office Web Components. As above, these flaws could allow attacker to take control of an affected system.

The four bulletins affect various versions of Microsoft Office. In the case of MS08-014, Mac versions of Office 2004 and Office 2008 are also affected.

Andrew Storms, director of security operations at nCircle, said this month's patch cycle represented a "shining example" of mitigating Microsoft Office vulnerabilities. He noted that Office users without administrative privileges won't be affected by these flaws as much as users running with full privileges.

Storms also said that Microsoft's newer Office apps appear to be less vulnerable than its older ones. "When the support line for Office 2000 and Office 2003 drop off the board, we're probably going to see a pretty significant reduction in Office vulnerability," he said.

"Microsoft has been doing something right," said Schultze. "Over time, the apps are getting better and stronger. It shows a trend toward Microsoft getting better at this."

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Building A Mobile Business Mindset
Building A Mobile Business Mindset
Among 688 respondents, 46% have deployed mobile apps, with an additional 24% planning to in the next year. Soon all apps will look like mobile apps – and it's past time for those with no plans to get cracking.
Register for InformationWeek Newsletters
White Papers
Current Issue
Top IT Trends to Watch in Financial Services
IT pros at banks, investment houses, insurance companies, and other financial services organizations are focused on a range of issues, from peer-to-peer lending to cybersecurity to performance, agility, and compliance. It all matters.
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Join us for a roundup of the top stories on for the week of October 9, 2016. We'll be talking with the editors and correspondents who brought you the top stories of the week to get the "story behind the story."
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Flash Poll