Microsoft fixes a dozen Office flaws in four patches; all are critical
Microsoft today released its March 2008 security bulletin, which includes four bulletins, all deemed critical by Microsoft.
The most serious of these affects Microsoft Excel, which alone has six specific "Common Vulnerablities and Exposures" vulnerabilities noted, one of which has been exploited in the wild. The next most serious affects Microsoft Outlook. In that one, a vulnerability in how the software parses "mailto" URIs could lead to remote code execution. A third bulletin affects how various Microsoft Office apps open maliciously crafted files. The final bulletin concerns how Office interfaces with the Web and includes one vulnerability that has been known but unpatched since September 2006. All Microsoft security patches for both Windows and Office software are available via Microsoft Update or via the individual bulletins detailed below.
Entitled "Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (949029)," this bulletin is critical for users of Microsoft Excel 2000 Service Pack 3, and important for users of Excel 2002 Service Pack 3, Excel 2003 Service Pack 2, Excel 2007, Microsoft Office Excel Viewer 2003, Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats, Microsoft Office 2004 for Mac, and Microsoft Office 2008 for Mac. Not affected are Microsoft Works 8, 8.5, and 9, or Works suite 2005 and Works suite 2006. The update addresses vulnerabilities detailed in CVE-2008-0111, CVE-2008-0112, CVE-2008-0114, CVE-2008-0115, CVE-2008-0116, CVE-2008-0117, and CVE-2008-0081. Microsoft says, "an attacker who successfully exploited these vulnerabilities could take complete control of an affected system and could then install programs; view, change, or delete data; or create new accounts with full user rights."
Entitled "Vulnerability in Microsoft Outlook Could Allow Remote Code Execution (949031)," this bulletin affects users of Microsoft Outlook 2000 Service Pack 3, Outlook 2002 Service Pack 3, Outlook 2003 Service Pack 2, Outlook 2003 Service Pack 3, and Outlook 2007. Not affected are users of Outlook 2007 Service Pack 1. The update addresses the vulnerability detailed in CVE-2008-0110. Microsoft says this vulnerability "could allow remote code execution if Outlook is passed a specially crafted mailto URI. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. This vulnerability is not exploitable by simply viewing an e-mail through the Outlook preview pane."
Entitled "Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (949030)," this bulletin affects users of Microsoft Office 2000 Service Pack 3, Microsoft Office XP Service Pack 3, Microsoft Office 2003 Service Pack 2, Microsoft Office Excel Viewer 2003, Microsoft Office Excel Viewer 2003 Service Pack 3, and Microsoft Office 2004 for Mac. Not affected are users of Microsoft Office 2003 Service Pack 3, Microsoft PowerPoint Viewer 2003, Microsoft Visio 2002 Service Pack 2, Microsoft Visio 2003 Viewer, Microsoft Word Viewer 2003, Microsoft Project 2000 Service Pack 1, Microsoft Project 2002 Service Pack 2, 2007 Microsoft Office System, 2007 Microsoft Office System Service Pack 1, and Microsoft Office 2008 for Mac. The update addresses the vulnerability detailed in CVE-2008-0113 and CVE-2008-0118. Microsoft says, "an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights."
Entitled "Vulnerabilities in Microsoft Office Web Components Could Allow Remote Code Execution (933103)," this bulletin affects users of Microsoft Office 2000 Service Pack 3, Microsoft Office XP Service Pack 3, Visual Studio .NET 2002 Service Pack 1, Visual Studio .NET 2003 Service Pack 1, Microsoft BizTalk Server 2000, Microsoft BizTalk Server 2002, Microsoft Commerce Server 2000, and Internet Security and Acceleration Server 2000 Service Pack 2. Not affected are users of Microsoft Works 8, Microsoft Works 9, Microsoft Works Suite 2005, Microsoft Works Suite 2006, Microsoft Office 2003 Service Pack 2, Microsoft Office 2003 Service Pack 3, 2007 Microsoft Office System, 2007 Microsoft Office System Service Pack 1, Microsoft BizTalk Server 2004, Microsoft BizTalk Server 2006, Microsoft Commerce Server 2000 Service Pack 1, Microsoft Commerce Server 2000 Service Pack 2, and Microsoft Commerce Server 2000 Service Pack 3, Microsoft Commerce Server 2002, Microsoft Commerce Server 2007, Internet Security and Acceleration Server 2004, and Internet Security and Acceleration Server 2006. This update addresses the vulnerability detailed in CVE-2006-4695 and CVE-2007-1201. Microsoft says, "these vulnerabilities could allow remote code execution if a user viewed a specially crafted Web page. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights."
As CNET's resident security expert, Robert Vamosi has been interviewed on the BBC, CNN, MSNBC, and other outlets to share his knowledge about the latest online threats and to offer advice on personal and corporate security. Listen to his podcast at securitybites.cnet.com or e-mail Robert with your questions and comments.
http://www.openoffice.org/