Get Smart about Business Spending
Users of an older version of Microsoft Word could have their computers compromised after downloading and opening a specially crafted .doc file, according to an advisory issued late Tuesday.
Microsoft said only limited and targeted attacks have so far attempted to use this vulnerability against systems running Microsoft Word 2002 SP3.
To become infected, a vulnerable user would have to open a specially crafted .doc document. An attacker using this vulnerability would then have the same user rights as the victim. If a victim were running as administrator, the attacker would gain full access to the compromised PC.
Attacks such as this are often used against corporations and government sites as a means of gaining access to desktop computers inside the security perimeter and, eventually, to its networks shares.
In a press release, Microsoft's security response communications manager Bill Sisk said Microsoft could issue an update as part of its monthly Patch Tuesday program, or, if the situation warrants, it could issue an out-of-cycle update. At the moment, Microsoft is still investigating the matter. "Security advisories address security changes that may not require a security bulletin but may still affect customer's overall security."
Only users of Microsoft Office Word 2002 SP3 are affected. Not affected are users of Microsoft Office Word 2000 Service Pack 3, Microsoft Office Word 2003 Service Pack 2 and Microsoft Office Word 2003 Service Pack 3, Microsoft Office Word 2007 and Microsoft Office Word 2007 Service Pack 1, Microsoft Office Word Viewer 2003 and Microsoft Word Viewer 2003 Service Pack 3, Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats and Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats Service Pack 1, Microsoft Office for Mac 2004, and Microsoft Office for Mac 2008.
On Thursday, Microsoft announced it will release eight security bulletins next week. The news is intended as a heads-up for IT departments in advance of Patch Tuesday.
Of the eight patches, five are considered "critical," and three are considered "important" by the software giant.
Among the critical patches, one will affect Microsoft Office, two will affect Windows, and two will affect the Internet Explorer browser. Of the important patches, Microsoft says one will affect Microsoft Office and two will affect Windows. The potential vulnerabilities include spoofing and remote code execution.
Microsoft today released its March 2008 security bulletin, which includes four bulletins, all deemed critical by Microsoft.
The most serious of these affects Microsoft Excel, which alone has six specific "Common Vulnerablities and Exposures" vulnerabilities noted, one of which has been exploited in the wild. The next most serious affects Microsoft Outlook. In that one, a vulnerability in how the software parses "mailto" URIs could lead to remote code execution. A third bulletin affects how various Microsoft Office apps open maliciously crafted files. The final bulletin concerns how Office interfaces with the Web and includes one vulnerability that has been known but unpatched since September 2006. All Microsoft security patches for both Windows and Office software are available via Microsoft Update or via the individual bulletins detailed below.
Entitled "Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (949029)," this bulletin is critical for users of Microsoft Excel 2000 Service Pack 3, and important for users of Excel 2002 Service Pack 3, Excel 2003 Service Pack 2, Excel 2007, Microsoft Office Excel Viewer 2003, Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats, Microsoft Office 2004 for Mac, and Microsoft Office 2008 for Mac. Not affected are Microsoft Works 8, 8.5, and 9, or Works suite 2005 and Works suite 2006. The update addresses vulnerabilities detailed in CVE-2008-0111, CVE-2008-0112, CVE-2008-0114, CVE-2008-0115, CVE-2008-0116, CVE-2008-0117, and CVE-2008-0081. Microsoft says, "an attacker who successfully exploited these vulnerabilities could take complete control of an affected system and could then install programs; view, change, or delete data; or create new accounts with full user rights."
Entitled "Vulnerability in Microsoft Outlook Could Allow Remote Code Execution (949031)," this bulletin affects users of Microsoft Outlook 2000 Service Pack 3, Outlook 2002 Service Pack 3, Outlook 2003 Service Pack 2, Outlook 2003 Service Pack 3, and Outlook 2007. Not affected are users of Outlook 2007 Service Pack 1. The update addresses the vulnerability detailed in CVE-2008-0110. Microsoft says this vulnerability "could allow remote code execution if Outlook is passed a specially crafted mailto URI. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. This vulnerability is not exploitable by simply viewing an e-mail through the Outlook preview pane."
Entitled "Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (949030)," this bulletin affects users of Microsoft Office 2000 Service Pack 3, Microsoft Office XP Service Pack 3, Microsoft Office 2003 Service Pack 2, Microsoft Office Excel Viewer 2003, Microsoft Office Excel Viewer 2003 Service Pack 3, and Microsoft Office 2004 for Mac. Not affected are users of Microsoft Office 2003 Service Pack 3, Microsoft PowerPoint Viewer 2003, Microsoft Visio 2002 Service Pack 2, Microsoft Visio 2003 Viewer, Microsoft Word Viewer 2003, Microsoft Project 2000 Service Pack 1, Microsoft Project 2002 Service Pack 2, 2007 Microsoft Office System, 2007 Microsoft Office System Service Pack 1, and Microsoft Office 2008 for Mac. The update addresses the vulnerability detailed in CVE-2008-0113 and CVE-2008-0118. Microsoft says, "an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights."
Entitled "Vulnerabilities in Microsoft Office Web Components Could Allow Remote Code Execution (933103)," this bulletin affects users of Microsoft Office 2000 Service Pack 3, Microsoft Office XP Service Pack 3, Visual Studio .NET 2002 Service Pack 1, Visual Studio .NET 2003 Service Pack 1, Microsoft BizTalk Server 2000, Microsoft BizTalk Server 2002, Microsoft Commerce Server 2000, and Internet Security and Acceleration Server 2000 Service Pack 2. Not affected are users of Microsoft Works 8, Microsoft Works 9, Microsoft Works Suite 2005, Microsoft Works Suite 2006, Microsoft Office 2003 Service Pack 2, Microsoft Office 2003 Service Pack 3, 2007 Microsoft Office System, 2007 Microsoft Office System Service Pack 1, Microsoft BizTalk Server 2004, Microsoft BizTalk Server 2006, Microsoft Commerce Server 2000 Service Pack 1, Microsoft Commerce Server 2000 Service Pack 2, and Microsoft Commerce Server 2000 Service Pack 3, Microsoft Commerce Server 2002, Microsoft Commerce Server 2007, Internet Security and Acceleration Server 2004, and Internet Security and Acceleration Server 2006. This update addresses the vulnerability detailed in CVE-2006-4695 and CVE-2007-1201. Microsoft says, "these vulnerabilities could allow remote code execution if a user viewed a specially crafted Web page. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights."
Microsoft on Tuesday released its February 2008 security bulletin, which includes 11 bulletins, six of which are deemed "critical" by Microsoft, while five are deemed "important." One bulletin, suggested in the advance notice posted Thursday, failed to be released Tuesday. A majority of the "critical" patches affect Microsoft Office, two critical patches include users of Office for Mac 2004, one affects Visual Basic 6.
The "important" patches are mostly Internet services-related. One patch is specific to the Windows Vista update, however, all the Windows Vista-related updates will be included with Windows Vista SP1, expected to roll out to consumers in mid-to-late March.
Tim Rains, security response communications lead for Microsoft, humorously noted that "Windows Vista SP1 and Windows Server 2008 are not affected by any of today's bulletins." They're not affected because they are not yet available to the public. All Microsoft security patches for both Windows and Office software are available via Microsoft Update or via the individual bulletins detailed below.
Titled "Vulnerability in Active Directory Could Allow Denial of Service (946538)," this bulletin affects users of Microsoft Windows 2000, XP SP2, Server 2003, but does not affect Windows Vista. A vulnerability detailed in CVE-2008-0088 exists in implementations of Active Directory on Microsoft Windows 2000 Server and Windows Server 2003 and Active Directory Application Mode (ADAM). Microsoft says "attacker must have valid log-on credentials to exploit this vulnerability. An attacker who successfully exploited this vulnerability could cause the system to stop responding or automatically restart."
Titled "Vulnerability in Windows TCP/IP Could Allow Denial of Service (946456)," this bulletin only affects users of Windows Vista. The update addresses the vulnerability detailed in CVE-2008-0084 that exists in Transmission Control Protocol/Internet Protocol (TCP/IP) processing. Microsoft says "an attacker who successfully exploited this vulnerability could cause the affected system to stop responding and automatically restart."
Titled "Vulnerability in Internet Information Services Could Allow Elevation of Privilege (942831)," this bulletin affects users of Microsoft Windows 2000, XP SP2, Server 2003, and Vista. The update addresses the vulnerability detailed in CVE-2008-0074 that exists in Internet Information Services (IIS). Microsoft says "a local attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights."
Titled "Vulnerability in Internet Information Services Could Allow Remote Code Execution (942830)," this bulletin affects users of Microsoft Windows XP SP2 and Server 2003, but not Windows 2000 or Vista. The update addresses the vulnerability detailed in CVE-2008-0075 that exists in the way that IIS handles input to ASP Web pages. Microsoft says "An attacker who successfully exploited this vulnerability could then perform actions on the IIS server with the same rights as the Worker Process Identity (WPI). The WPI is configured with Network Service account privileges by default. IIS servers with ASP pages whose application pools are configured with a WPI that uses an account with administrative privileges could be more seriously impacted than IIS servers whose application pool is configured with the default WPI settings."
Titled "Vulnerability in WebDAV Mini-Redirector Could Allow Remote Code Execution (946026)," this bulletin affects users of Microsoft Windows XP SP2, Server 2003, and Vista, but not Windows 2000. This update addresses the vulnerability detailed in CVE-2008-0080 in the WebDAV Mini-Redirector. Microsoft says "an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights."
Titled "Vulnerability in OLE Automation Could Allow Remote Code Execution (947890)," this bulletin affects users of all supported editions of Microsoft Windows 2000, Windows XP, Windows Vista, Microsoft Office 2004 for Mac, and Visual Basic 6. The update addresses the vulnerability detailed in CVE-2007-0065. If exploited, the vulnerability could allow remote code execution through attacks on Object Linking and Embedding (OLE) Automation if a user viewed a specially crafted Web page.
Titled "Vulnerability in Microsoft Word Could Allow Remote Code Execution (947077)," this bulletin affects users of Microsoft Word 2000 Service Pack 3, Microsoft Office XP Service Pack 3, Microsoft Word 2002 Service Pack 3, Microsoft Office 2003 Service Pack 2, Microsoft Office Word Viewer 2003, but does not affect Microsoft Office 2003 Service Pack 3, Microsoft Word Viewer 2003 Service Pack 3, 2007 Microsoft Office System, 2007 Microsoft Office System Service Pack 1, Microsoft Office 2004 for Mac, Microsoft Office 2008 for Mac. The update addresses the vulnerability detailed in CVE-2008-0109 and could allow remote code execution if a user opens a specially crafted Word file. Microsoft says "An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights."
Titled "Cumulative Security Update for Internet Explorer (944533)," this bulletin affects users of Microsoft Windows 2000, XP SP2, Server 2003, but not Windows Vista. The update addresses the vulnerabilities detailed in CVE-2008-0076, CVE-2008-0077, CVE-2008-0078, and CVE-2007-4790. Microsoft says "the most serious of the vulnerabilities could allow remote code execution if a user viewed a specially crafted Web page using Internet Explorer. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights."
Titled "Vulnerabilities in Microsoft Works File Converter Could Allow Remote Code Execution (947081)," this bulletin affects users of Microsoft Office 2003 Service Pack 2, Microsoft Office 2003 Service Pack 3, Microsoft Works 8.0, Microsoft Works Suite 2005, but not Microsoft Works 8.5, Microsoft Works 9.0, Microsoft Works Suite 2006, 2007 Microsoft Office System, Microsoft Office 2000, and Microsoft Office XP. The update addresses the vulnerabilities detailed in CVE-2007-0216, CVE-2008-0105, and CVE-CVE-2008-0108 that could allow remote code execution if a user opens a specially crafted Works (.wps) file with an affected version of Microsoft Office, Microsoft Works, or Microsoft Works Suite. Microsoft says "an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights."
Titled "Vulnerabilities in Microsoft Office Publisher Could Allow Remote Code Execution (947085)," this bulletin affects users of Microsoft Publisher 2000, 2002, XP, 2003 SP2, but not Microsoft Publisher 2003 SP3 or 2007. The update addresses the vulnerabilities detailed in CVE-2008-0102 and CVE-2008-0104 that could allow remote code execution if a user opens a specially crafted Publisher file. Microsoft says "an attacker who successfully exploited these vulnerabilities could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights."
Titled "Vulnerability in Microsoft Office Could Allow Remote Code Execution (947108)," this bulletin replaces previous bulletins MS06-047 and MS07-60. This bulletin affects users of Microsoft Office 2000 Service Pack 3, Microsoft Office XP Service Pack 3, Microsoft Office 2003 Service Pack 2, and Microsoft Office 2004 for Mac, but not Microsoft Office 2003 Service Pack 3, Microsoft Excel Viewer 2003, Microsoft PowerPoint 2003 Viewer, Microsoft Visio 2003 Viewer, Microsoft Word Viewer 2003, 2007 Microsoft Office System, 2007 Microsoft Office System Service Pack 1, Microsoft Office 2008 for Mac. The update addresses the vulnerability detailed in CVE-2008-0103 that could allow remote code execution if a user opens a specially crafted Microsoft Office file with a malformed object inserted into the document. Microsoft says "An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights."
- prev
- 1
- next
