Wednesday, March 12, 2008
Trojan attack may exploit one of Office Excel's known vulnerabilities
Microsoft (24hoursnews)'s Patch Tuesday came a day late after a U.S. Computer Emergency Readiness Team advisory warned that a targeted Trojan attack may exploit one of Office Excel's known vulnerabilities.
Altogether, the vulnerabilities can be found in Microsoft Office Excel 2003 Service Pack 2, Microsoft Office Excel Viewer 2003, Office Excel 2002, Office Excel 2000 and Excel 2004 for Mac. However, the vulnerability doesn't affect customers using Office Excel 2007 or Excel 2008 for Mac, or users who have installed Office Excel 2003 Service Pack 3.
The Trojan is circulating through e-mail messages containing attached Excel files, which include known names such as OLYMPIC.XLS and SCHEDULE.XLS, according to the U.S. CERT warning. In addition, CERT warned that the files may also contain Windows binary executables, which have the potential to compromise an affected system.
A Microsoft security advisory warned that exploitation could occur after a user opened a specially crafted Excel file containing malformed header information, corrupting the system memories in a way that could leave the machine vulnerable to remote execution of arbitrary code. A successful exploit would then require a user to open an attachment sent in an e-mail message, which would allow the attacker to gain the same access privileges as the local user, according to the advisory.
Support :Microsoft has released another, albeit small, batch of patches for the monthly update. All of the patches released center on Microsoft Office and backend products.
Addresses a flaw in Microsoft Excel that can lead to remote code execution, this was discovered in January according to some reports, and made it to the patch list rather fast. The update is rated Critical for Microsoft Office Excel 2000 Service Pack 3 and rated Important for Excel 2002 Service Pack 3, Excel 2003 Service Pack 2, Excel Viewer 2003, Excel 2007, and Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats. This is also included in fixes for Office 2004 for Mac and Office 2008 for Mac.
Addresses remote code execution vulnerabilities in Microsoft Outlook. Unlike most of the Outlook exploits, this vulnerability is not exploitable by simply viewing an e-mail through the Outlook preview pane. This security update is rated Critical for supported editions of Microsoft Office Outlook 2000 Service Pack 3, Outlook 2002 Service Pack 3, Outlook 2003 Service Pack 2 and Service Pack 3, and Outlook 2007.
This patch corrects vulnerabilities in Office 2000 that can allow an attacker to subvert affected systems if a user opens a malformed Office file. This security update is rated Critical for supported editions of Microsoft Office 2000 and rated Important for supported editions of Microsoft Office XP, Microsoft Office 2003 Service Pack 2, Microsoft Excel Viewer 2003, and Microsoft Excel Viewer 2003 Service Pack 3, and Microsoft Office 2004 for Mac.
This update resolves two vulnerabilities in Microsoft Office Web Components. If exploited, they will allow remote access to the system with the same level of access as the current logged in user.
This is a critical security update for implementations of Microsoft Office Web Components 2000. The following software is included on the patch me list for this update.
Microsoft Office 2000 Service Pack 3
Microsoft Office XP Service Pack 3
Visual Studio .NET 2002 Service Pack 1
Visual Studio .NET 2003 Service Pack 1
Microsoft BizTalk Server 2000 and Microsoft BizTalk Server 2002
Microsoft Commerce Server 2000
Internet Security and Acceleration Server 2000 Service Pack 2.