Microsoft fills Excel, Windows, Word holes

Updated 12:30 p.m. PDT with ZoneAlarm discount offer and 11:50 a.m. PDT with comment from security vendors.

Microsoft on Tuesday closed security holes in Excel, Windows, and Word that had been exploited in the wild as well as other holes for which exploit code or details exist, all as part of its monthly patch update cycle.

The critical Excel hole could allow an attacker to take complete control of an unpatched system if a user opens a specially crafted Excel file. Security firm Symantec said in February that it had discovered malicious files in the wild in Japan that attempt to exploit the Excel Unspecified Remote Code Execution Vulnerability.

The patch affects Microsoft Office, 2002, 2003, and 2007, as well as Microsoft Office 2004 and 2008 for the Mac, according to the Microsoft bulletin.

Microsoft also released a patch for a critical vulnerability in WordPad and Office that could allow remote code execution if a specially crafted file is opened in WordPad or Microsoft Word. This vulnerability is currently being exploited on the Internet, Microsoft said. It affects Windows 2000, Windows XP, Windows XP Professional, Windows Server 2003, Microsoft Office Word 2000 and Word 2002.

Another patch fixes four critical vulnerabilities in Internet Explorer that could allow remote code execution if a user views a specially crafted Web page or if a user connects to an attacker's server via HTTP. Exploit code and attack details have been made public for a couple of the vulnerabilities. Affected software is IE 5, 6, and 7.

A patch for Microsoft DirectShow closes a critical vulnerability that could allow an attacker to take complete control of a system if a user opened a specially crafted MJPEG file. It affects DirectX 8 and DirectX 9.

A fifth patch addresses critical vulnerabilities in Windows HTTP services that could allow an attacker to take complete control of the system and for which exploit tools and code have been made public. Affected are Windows 2000, Windows XP, Windows XP Professional, Windows Vista, Windows Server 2003, and Server 2008.

Also fixed are important holes in Windows being exploited in the wild that could allow elevation of privilege if an attacker is allowed to log on to a system and run a specially crafted application. Windows 2000, Windows XP, Windows XP Professional, Windows Vista, Windows Server 2003, and Server 2008 are affected.

Other patches address less critical holes in Microsoft Internet Security and Acceleration Server 2004 and 2006 and the medium business edition of Forefront Threat Management Gate, as well as SearchPath. Attack details have been made public for the SearchPath blended threat vulnerability. It affects Windows 2000, Windows XP, Windows XP Professional, Windows Vista, Windows Server 2003, and 2008.

In all, Microsoft issued eight patches for about two dozen reported vulnerabilities.

"We were astonished to see how many zero-days are in that release," said Wolfgang Kandek, chief technology officer of Qualys, in reference to exploits that target software with a vulnerability that has not been patched yet.

"Ten of the vulnerabilities have either exploits out in the wild or there is proof-of-concept code available and that's a first, I think, in terms of the number of zero days in a single bulletin," he said. "For the IT guys, that means their window has just shrunk to zero to get these things fixed."

The IE vulnerability is of particular concern, Ben Greenbaum, senior research manager at Symantec Security Response, said in an e-mail statement. It "appears to be the easiest of the bunch to take advantage of by an attacker and also happens to be the one that requires the least amount of involvement by a user to exploit. An attacker can simply lure a victim into viewing a Web page that contains malicious content and that individual's computer can then be taken over."

Missing from the bulletin was a fix for a zero-day hole in PowerPoint that Microsoft warned on April 2 had been targeted by attackers.

In honor of Patch Tuesday, Check Point Software technologies said it was selling a full version of its ZoneAlarm Internet Security Suite for $9.95 instead of $49.95. The sale runs for 24 hours starting at 6 a.m. PDT on Tuesday. Check Point said it will donate half of the proceeds to non-profit TechSoup Global.

[bonesbautista]

I'm still waiting for MS to fix the print setup bug for .xlsx files with multiple tabs in both Excel 2007 (Win) and Excel 2008 (Mac). Works in .xls files with multiple tabs and multiple page setup settings, go figure - still not fixed more than a year after the release of both applications.

[kevsmail]

What is the bug?

[Mr. Dee]

I am not gonna lie, I am bit embarrassed by this. Anyway, Automatic Updates are turned on, latest virus definitions installed, UAC on. So, I know I am safe.

[The_happy_switcher]

Watch out, that virtual condom could spring a leak at any moment.

[ittesi259]

Yes you are safe.....or....you are now considering these exploits weren't viruses....even with all your precautions you were still sitting open to that Excel bug which has been exploited for months yet MS took a hugely unacceptable long time to fix.

[Mr. Dee]

Hey AppleRocks, wasn't Safari on pill, but still got exploited by a simple hack? Talk about promiscuous.

[Dalkorian]

Why are *you* embarrassed Dee? Did you write this shoddy code yourself?

I wouldn't be so smug in that "I know I am safe" comment if I were you. UAC is like using chicken wire as a bullet proof vest, it might make you FEEL safer but the illusion only endangers you more.

[b_baggins]

Um, these things were in the wild BEFORE MS issued the update. You weren't safe until then, even with all that stuff turned on.

[SNOOP_ROCA]

Mr. Dee, please turn your computer off, get a bat and smash your computer multiple times until it can't turn on, and go live in a cave. Thanks for your cooperation!

[rmva]

Cool deal! Elinor, maybe you can get Dairy Queen to offer a Patch Tuesday Blizzard for 25 cents.

[saffroncapital]

And there is still the powerpoint hole lurking in every system....

Nice one M$FT....

[Vegaman_Dan]

Nice one, $affroncapital. Why I do believe you may be the very first person in history to have made that $=S substitution in reference to Microsoft.

Very good! How very very original of you! Now you can gain the respect and praise of your peers for being so clever and witty.

[jabberwolf]

Lurking?
Yeah and there is a security hole lurking in the OS itself.. oh but thats just OSX that hasnt been fixed and its been a year.

[BOTNET]

lots of bugs, but ... microsoft disclosed all details and delivered the patches in scheduled monthly update cycle. Why is Apple hiding all bugs in their OS and send patches in random secret updates? And ... when they send it, they always tell me to install SAFARI come on

There are more Microsoft Office viruses in any given week than all other office products combined since the first word processor was invented. Do you buy a car with faulty brakes that need to be continuously upgraded after defects are found? Why do you use a virus petri dish of a word processor?

[Thephatrican]

At least we don't pay for updates. We pay for car breaks, even when it is their fault (or our fault for doing something we weren't supposed to).

Pretty much thats what an update is. Fixing something that wasn't supposed to be done so that it actually isn't done =P Just like car breaks.

[jabberwolf]

"I'm still waiting for MS to fix the print setup bug for .xlsx files with multiple tabs in both Excel 2007 (Win) and Excel 2008 (Mac)"

There probably isnt any Bug, you own a mac, thus you probably arent smart enough to use applications like excel. Try setting the print are yourself.

The bug = macuser = picnic = problem in chair not in computer!!

[seven7dust]

and they call Mac users Elitist !

[schmidty313]

Haha you said Mac!! What a joke!

[Dalkorian]

Are you telling us you made sense of that grammatical nightmare, 7dust?

"Try setting the print are yourself." - yeah, sounds like the typical M$ apologist to me. I still can't grok what "picnic" is doing in that last attempt at a sentence. That's 2 out of 3 sentences that make absolutely no sense whatsoever!

[seven7dust]

Another day another hole in MS software !

[Neumenon]

Excuse me: what's with the ZoneAlarm Ad at the end of the article?

I used their product for years until recently when I realized they are now making bug ridden bloatware.

Good riddance

[gnesterenko]

Lol, you fanboys.. you hear 'bug' and 'unpatched for years' and automatically que the prepacked responses. Honestly, you shoudl save yourselves some time. Write all your comments on a dart-board and whenever an article like this comes up, throw a dart at said dart-board, post said comment. Much more originality that way (well not really actually).

So they fixed a hole? That only came up when you actually DL and open specific infected files that you probably got off some junk website. Umm. To use the car anology again, its kinda like this: option 1) fill up your car at a gas station. Yes, you support oil companies that way, but you know you are getting gas. 2) buy it from the guy with a rusted barrel in the back of a pickup. Hope you like sugar in your gas tank.

Conclusion - yet again, hole exploited due mainly to user gullibility. Yet again, zero sympathy. And honestly, how often do you get a word/doc file EVEN if you randomly browse malicious sites?

Oh and this gem: "There are more Microsoft Office viruses in any given week than all other office products combined since the first word processor was invented"
By law of statistics, you are correct, because there are more instaces of MS Office USED in a given week then all products combined since the first word processor was invented. But you are right, lets go for open office instead, jsut as good. Let me just write some VBA apps to actually make it useful... oh wait...

"The views expressed here are mine and do not reflect the official opinion of my employer or the organization through which the Internet was accessed."

[aintnorainbowdorothy]

Fangirls and boys, I didn't know there was a $ sign in any word in any dictionary. Oh well, it takes Microsoft two months to take care of an exploit. Apple gets notified of an exploit and takes a year or longer to patch it, in secret. Microsoft has around six to nine patches a month, sending a patch for each exploit known at that time, if they, or someone else, has a fix. Apple doesn't tell users that a patch is available for any exploit, known to be in the wild or not. And it may seem like a single patch, but in reality I've seen as many as 50+ security or firmware updates in a single, seemingly one only, patch while a person has to pay for it. Try updating your precious iPhone and pay that $10 just to do a firmware upgrade. And don't get me going on the Safari Interface itself. Microsoft writes all Office products, and has forever it seems, for your precious Macs. And while a person gets at it, the Mac is simply an Apple Personal Computer, while Microsoft doesn't make or sell computers or components, outside of the XBox and Zune. And of course firmware and security updates are free for them. Keep a propriatary system that's overpriced and has to have software written for it by someone else. And keep paying for firmware and security updates, all done in a gang update that looks like a single problem but actually covers a lot of them. I think I'll stick with Microsoft and the few Open Source apps I have.