Hard Day At The Office: Microsoft Releases Four Critical Patches
Microsoft's March Patch Tuesday security bulletin addresses 12 vulnerabilities in four security updates, repairing critical errors which leave earlier versions of the popular Microsoft Office program susceptible to exploitation by a remote attacker.
Security experts say that this month's security bulletin is the first in which all four critical patches addressed versions of Microsoft Office. Specifically, the four critical vulnerabilities significantly affect several earlier versions of Excel, Outlook, Office and Office Web Components. All of the critical vulnerabilities could allow a remote attacker to execute a denial of service attack or completely infiltrate an affected system.
One of the most serious errors is addressed by security update MS08-015, which fixes a newly discovered vulnerability in the Microsoft Office Outlook application, security experts say. Unlike other client-side vulnerabilities, the Outlook error could allow malicious code to be executed on users' computers by simply clicking on an affected email link. "Most users are pretty well conditioned now not to open evil Word document," said Eric Schultze, chief technology officer of Shavlik Technologies, "but this is a brand new scenario."
The vulnerability could allow a remote attacker to read a user's existing e-mail messages and potentially redirect all future messages to an attacker controlled location, in addition to installing programs, viewing change or delete data, or creating new accounts with full user privileges.
"It opens up Outlook and at the same time that it's doing that, it's actually executing code on your system," said Schultze, also former Microsoft employee responsible for writing security bulletins and releasing patches. "It seems really easy to exploit. I imagine that we'll see it being exploited shortly. Most users will be caught unaware."
The vulnerability is not exploitable by viewing an e-mail through the Outlook preview pane, according to the Microsoft security bulletin.
Another serious patch released this month resolves one publicly and six privately reported vulnerabilities in Microsoft Office Excel, or "seven different ways to hack a user with Excel," said Schultze.
The Excel vulnerabilities, which were detected at the end of last year, are particularly destructive in Office Excel 2000 allowing a user to be infected without actively opening up the application. Later versions of Excel are subject to exploitation only when a user specifically accesses the application, security experts say.
Meanwhile a recent U.S. CERT report warned of targeted Trojan attacks which have exploited the Excel vulnerabilities.
"I think Microsoft was caught unaware," he said. "It usually takes them a couple of months to get it fixed and tested."
Another Office vulnerability includes a Microsoft Office bug that can leave a computer vulnerable when a user opens a malformed Office file. The final update provides a fix for an error in Microsoft Web Components, in which a user could be subject to remote attack after viewing a specially crafted malicious Web page.
Security experts recommend that users update their computers with the latest available patches, in addition to being judicious when surfing the Web.
"The older versions of Office are much more at risk," said Schultze. "Apply the patches and don't visit evil Web sites."