Microsoft Issues Fixes For Five Security Holes

The software giant made available Wednesday a patch that fixes a "critical" hole in Visual Basic for Applications (VBA) that programmers could exploit to cripple Office, as well as three fixes for Office vulnerabilities that are rated as moderate threats.

The critical issue involves a flaw in VBA that could be exploited and allow arbitrary code execution in Office and Microsoft Business Solutions software, Microsoft said. A patch to correct that problem was issued Wednesday.

Another vulnerability, rated a more moderate threat, affects customers who use Access or the downloaded Access Snapshot Viewer. Microsoft also found and fixed problems that could affect those who use WordPerfect converter with Office and could run macros in Word without warning.

Finally, Microsoft issued another patch for less significant Windows NetBIOS vulnerability, which it rates as a low threat.

These five are the latest in a series of patches and fixes Microsoft has released to enhance the security of its software, which has suffered a series of attacks by hackers this summer.

Most recently, the infamous MSBlaster and Sobig.F worms caused major headaches, effectively disabling e-mail servers across the country and, in one case, forcing one state Department of Motor Vehicles to shut down.

Solution providers, which are often on the front line and called in to help resuscitate their customers' systems, are in some cases making more services deals because of the outbreak of attacks.

However, many say the availability of these patches from Microsoft can save solution providers a lot of time fighting fires and keep their customers happy and protected. The big problems come when solution providers, systems integrators and customers ignore these security alerts and fixes from Microsoft and ISV partners such as Symantec and Network Associates McAfee, channel partners said.

Econium, for example, only had two or three customers whose e-mail was affected by Blaster because they failed to download the fixes. "It is incumbent on the solution provider channel to have robust security and to stay on top of the issues," said Ken Winell, president of the Totowa, N.J.-based solution provider. "I updated for the Blaster patch and was immune. If you stay on top of it, you don't have a problem."

Other partners, however, said the biggest fix must come from Microsoft.

"The biggest problem is Microsoft reliably finding holes in their software and then reliably getting the boxes patched," said Scott Urbatsch, engineer manager at Polar Systems, Portland, Ore. "We have slowly been implementing Microsoft's Automatic Updates, but has been bitten a few times due to other issues caused by the patches. We have been working overtime to resolve our reactive clients, and some proactive clients [who implemented Microsoft's fixes] but where a PC was missed, or a laptop was brought back into the network infected. We have been doing good business keeping on top of these various issues, but are getting tired of the continual breaches."

ASAP Software Express, an enterprise software advisor, said the process is steadily improving, but the outbreaks will continue if partners and customers ignore bulletins and fail to update their software with fixes--or newer versions of Windows.

"Microsoft has done a reasonably good job responding to its own security shortcomings in recent quarters. Microsoft has found problems before hackers have and have created patches, and made those patches available readily and for all markets," said Roger Moffat, senior director of product marketing at ASAP Software, Buffalo Grove, Ill. "There is a general apathy in the public for downloading patches until there is a problem. Microsoft will have to push more and more into its [Software Assurance] offering around patch control. Customers also have consistent ways to prioritize all patches."