Seven security bulletins on Microsoft's next patch day
Next Tuesday, Microsoft will be releasing a total of seven security bulletins. Four of them concern weak points in Windows; three of them, security leaks in the Office suite. Microsoft believes that at least one of the bulletins is critical for security. The updates released next Tuesday will require systems to be rebooted.
As usual, Microsoft has not announced which weak points are to be closed on patch day. It is, however, likely that the software vendor will be closing security holes in Excel on Tuesday. Just before the patch day in June, flaws that allow attackers to inject malicious software into systems by means of manipulated Excel files were discovered in the spreadsheet program. In addition, long links in the tables create a buffer overflow, resulting in the same consequences. A third weak point may concern embedded objects in Excel documents. Also, security service provider Secunia has just announced that it has discovered a fourth problem in Excel that probably only concerns Asian versions of the software: long styles may provoke a buffer overflow.
At least one of the patches for the Windows security bulletins may close some of the numerous security holes in Internet Explorer. As part of his Month of Browser Bugs (MoBB) campaign in July, Metasploit developer H.D. Moore is publishing each day one weak point in Web browsers. Some of the security holes he has published already - such as in the ActiveX module HHCtrl to display HTML help files or the ActiveX control ADODB - cause browsers to crash at the very least. Attackers may, however, also be able to inject arbitrary code through these holes.
In addition, there is still no patch for a hole in Internet Explorer discovered by Plebo Aesdi Nael; attackers can exploit this hole to get users to download and execute malicious software disguised as HTML applications. In addition, he found an error in cross-domain protection that would allow web sites to read the content of other sites.
- Microsoft Excel Style Buffer Overflow Vulnerability, security advisory at Secunia
- Microsoft Security Bulletin Advance Notification, Microsoft's announcement of upcoming Security Bulletins