12 March 2008, 09:14

Microsoft closes twelve holes in Office programs

Microsoft has closed twelve security holes with four security updates – seven of them in Excel, two in Office, two in Office Web and one in Outlook. The vendor classifies all twelve holes as critical, since they can be used to inject code into a Windows client, allowing an attacker to take control of the system. However, there are differences in the levels of interaction required of the user.

In Excel (MS08-014), the user has to open a manipulated document, which under normal conditions should not be possible to open from an email. Microsoft classifies Excel files as unsafe, so direct access to them is blocked in Outlook and Outlook Express. The problems affect Office Excel 2000 (Service Pack 3), Excel 2002 (SP3), Excel 2003 (SP2), Excel Viewer 2003, Excel 2007, the Microsoft Office Compatibility Pack for Word, Excel and PowerPoint 2007 file formats, as well as Office 2004 for Mac and Office 2008 for Mac.

The two vulnerabilities in Office (MS08-016) also require an infected document to be opened. Office 2000, Office XP, Office 2003 Service Pack 2, Excel Viewer 2003, Excel Viewer 2003 (SP3), and Office 2004 for Mac are all vulnerable. While there is some overlap between the updates for the errors in Excel and Office, both patches have to be installed.

The Outlook (MS08-015) hole means the user can fall victim to an attack with a single click on a crafted website. The root of the problem is inadequate filtering of mailto: URIs when Internet Explorer hands them on to the mail client. The error exists in Office Outlook 2000 (SP3), Outlook 2002 (SP3), Outlook 2003 (SP2, SP3), and Outlook 2007. Outlook 2007 with Service Pack 1 is not vulnerable.

The two problems in Office Web (MS08-017) can be exploited with practically no user interaction. A visit to a manipulated website is enough to infect the PC with malware. These days it is much easier to come into contact with such websites than one would like; it can happen through unwanted redirects in Google search results, or through injected IFrames in websites that appear benign.

As usual, Microsoft does not provide detailed information on the holes. In the "Security Vulnerability Research & Defense" blog, the Redmonders discuss the vulnerabilities in a bit more detail, includign how to exploit or remedy them. All of the updates are distributed via the automatic update feature. Microsoft is also distributing an updated version of the Malicious Software Removal Tool (MSRT).