Major patch day for Excel
What initially promised to be a relatively quiet patch day is turning into a patch orgy especially for Excel users. Microsoft has announced six patch packages to fix a total of 15 "security vulnerabilities" in Microsoft Windows and Office. Many of the issues have been rated critical with an exploitability index of 1. This means that exploits are likely to appear.
Security bulletin MS09-067 alone describes 8 security issues in Excel. Redmond's security experts consider it probable that stable exploits will be circulated for at least three of the holes. The affected versions of Office include XP, 2003, 2007 and Office for Mac. Using the Excel Viewer offers no protection because the Viewer itself is vulnerable. Incidentally, the same applies to the security hole in Word (MS09-068), which also affects the Viewer. As usual, Microsoft hasn't rated the holes in Office in the top category because they require users to open a specially crafted document.
Of the three Windows kernel driver vulnerabilities described in MS09-065, a problem with the processing of Embedded OpenType (EOT) fonts is the most noteworthy. In Windows XP and Server 2003, it allows arbitrary code to be injected and executed via documents or web pages that contain these fonts. The other two vulnerabilities merely allow attackers to escalate their privileges.
A flaw in the protocol for communicating with devices such as printers, cameras and PDAs (MS09-063) only affects Vista and the related Server 2008. The Web Services on Devices API (WSDAPI) service listening on TCP port 5357 and 5358 appears to process WSD message headers incorrectly. The service is enabled in all the Windows firewall settings except those for public networks, which allows attackers to access it remotely. Responses to outgoing requests can also be used to exploit the hole.
MS09-066 reports another flaw in the LSASS service that potentially allows attackers to cripple Windows XP and Server 2000/2003/2008. The update for MS09-064.mspx fixes a critical security issue in the License Logging Server of Windows 2000 Server.
Interestingly, all the security holes discovered externally appear to have been reported to Microsoft first this time. That Microsoft's latest version of Windows is not affected by any of the holes is, of course, also open to interpretation. Nevertheless, users are advised to install the updates as soon as possible – ideally via Microsoft's Automatic Updates service, which became available to Office customers some time ago.
- Security Bulletin Summary for November 2009 by Microsoft