Microsoft Patch Tuesday Fixes A Dozen Office Flaws - InformationWeek
Software // Enterprise Applications
05:17 PM
Connect Directly

Microsoft Patch Tuesday Fixes A Dozen Office Flaws

Security researchers suggest client-side vulnerabilities are more likely to bear fruit for hackers than the server side vulnerabilities.

Microsoft on Tuesday fixed 12 vulnerabilities in four security bulletins, all of which affect Microsoft Office.

The fact that all the vulnerabilities found reside in Microsoft Office, said Eric Schultze, chief technology officer of Shavlik Technologies, supports the current belief that client-side vulnerabilities are more likely to bear fruit for hackers than the server side vulnerabilities.

MS08-014 (maximum severity of Critical) addresses a zero-day vulnerability in Microsoft Office Excel that Microsoft acknowledged in January. It could allow an attacker to take over an affected system if the victim opens a maliciously crafted Excel file.

Amol Sarwate, manager of the vulnerability research lab at Qualys, said that macro vulnerabilities in Excel have been a recurring problem for about a decade. While exploits for the Excel flaw have been spotted in the wild, he said that damage appears to be relatively limited. He also said it's difficult to be sure about that because not all damage arising from exploitation of the vulnerability has been publicized.

The usual method of exploiting this kind of flaw is enticing a user to open a file. "This is a concern because there's no simple firewall adjustment that can address this," Sarwate said.

MS08-015 (maximum severity of Critical) addresses a new, privately reported vulnerability in Microsoft Office Outlook. The flaw could allow an attacker to read and re-route a user's e-mail messages.

Schultze considers this vulnerability the most interesting of this month's crop. "This is the first one I'd patch because it's exploiting something that's never been exploited before," he said.

MS08-015 allows an attacker to execute remote code through Outlook if the victim clicks on a maliciously crafted "mailto:" link. "Users have never had to watch out to malicious e-mail links before," said Schultze. "I think we'll see this get exploited quite a bit."

MS08-016 (maximum severity of Critical) repairs two new, privately reported vulnerabilities in Microsoft Office 2000. The vulnerabilities could allow an attacker to subvert an affected system.

MS08-017 (maximum severity of Critical) fixes two new, privately reported vulnerabilities in Microsoft Office Web Components. As above, these flaws could allow attacker to take control of an affected system.

The four bulletins affect various versions of Microsoft Office. In the case of MS08-014, Mac versions of Office 2004 and Office 2008 are also affected.

Andrew Storms, director of security operations at nCircle, said this month's patch cycle represented a "shining example" of mitigating Microsoft Office vulnerabilities. He noted that Office users without administrative privileges won't be affected by these flaws as much as users running with full privileges.

Storms also said that Microsoft's newer Office apps appear to be less vulnerable than its older ones. "When the support line for Office 2000 and Office 2003 drop off the board, we're probably going to see a pretty significant reduction in Office vulnerability," he said.

"Microsoft has been doing something right," said Schultze. "Over time, the apps are getting better and stronger. It shows a trend toward Microsoft getting better at this."

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
[Interop ITX 2017] State Of DevOps Report
[Interop ITX 2017] State Of DevOps Report
The DevOps movement brings application development and infrastructure operations together to increase efficiency and deploy applications more quickly. But embracing DevOps means making significant cultural, organizational, and technological changes. This research report will examine how and why IT organizations are adopting DevOps methodologies, the effects on their staff and processes, and the tools they are utilizing for the best results.
Register for InformationWeek Newsletters
White Papers
Current Issue
2017 State of IT Report
In today's technology-driven world, "innovation" has become a basic expectation. IT leaders are tasked with making technical magic, improving customer experience, and boosting the bottom line -- yet often without any increase to the IT budget. How are organizations striking the balance between new initiatives and cost control? Download our report to learn about the biggest challenges and how savvy IT executives are overcoming them.
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Flash Poll