Patch Tuesday Plugs 12 Holes in Microsoft Office
Included is a fix for the zero-day remote-code vulnerability in Excel. The exploit was made public in January and is corrected by the MS08-014 patch that addresses seven vulnerabilities in Excel. The other patches, MS08-015, MS08-016 and MS08-017, address issues in Outlook, Office and Office Web Components, respectively.
All the security bulletins are serious, but the Office Web Components patch stands out because these ActiveX components are widely distributed and relatively easy to exploit, according to Ben Greenbaum, senior research manager for Symantec Security Response. Symantec has observed attackers continuing to target Web plug-ins to quickly and quietly install malicious code.
"While browser plug-ins of all kinds represent an increasingly attractive vector for attackers, the security of other nonnetwork-facing applications is still a relevant issue as well," Greenbaum said. "With seven vulnerabilities being addressed in the Microsoft Excel patch, it's clear that users need to keep all software patched and up to date. Additionally, full-featured security software can protect users from attacks against some vulnerabilities well in advance of the availability of patches."
Don't Delay
Because all four of the patches affect Microsoft Office, these patches cannot be ignored or delayed, urged Don Leatham, director of solutions and strategy at Lumension Security. The broad install base of Microsoft Office, he said, makes Office vulnerabilities an enticing target for hackers and cybercriminals.
"Microsoft Outlook is the dominant e-mail client in use today, and e-mail is also one of the most common attack vehicles used by hackers against organizations," Leatham said. "This will make Bulletin 2, a critical, remote-code-execution vulnerability which affects virtually all versions of Outlook, the biggest priority for IT administrators. This vulnerability affects all versions of Outlook, including Outlook 2007 running on Windows XP...