Microsoft target Office with Patch Tuesday blitz
By Miya Knights,
Microsoft's monthly patching update was released late yesterday, addressing 12 vulnerabilities in Office along with four critical updates.
Security experts said this is the first time they can recall the software vendor releasing Patch Tuesday updates exclusively for Office. Alan Bentley, regional vice president of security vendor, Lumension said: "As all four of the patches affect Microsoft Office, these patches cannot be ignored or delayed. The broad install base of Office makes its vulnerabilities an enticing target for hackers and cyber criminals."
Microsoft said hackers could use the flaws identified in March's patch update to gain control of an unprotected PC's systems. And the affected Office components include Outlook, Office 2000 and Office's web components, as well as an Excel flaw that's been a target of hackers for some two months or so already.
Update MS08-014 fixes the publicly disclosed, zero day flaw in the spreadsheet application that entices users to click on malicious Excel files in order to infect PCs with spyware and rootkits. Versions 2000, 2002 and 2003 and Service Pack 2 of Excel are affected, Microsoft said. Although it added that Excel 2007 or Excel 2003, Service Pack 3 were not at risk.
But Benson singled out the MS08-015 patch, which addresses a flaw that could be used to trick a victim into clicking on a specially crafted "mailto" link, allowing an attacker to potentially, "install programs; view, change, or delete data; or create new accounts with full user rights," Microsoft said in the patch notice.
This kind of attack exploits flaws in the mail client's handling Uniform Resource Identifiers (URIs) and has been observed in use in the wild for the past year now.
"Microsoft Outlook is the dominant email client in use today and email is also one of the most common attach vehicles used by hackers against organisations," added Bentley. "This makes MS08-015 a critical, remote-code-execution vulnerability that affects virtually all versions of Outlook, the biggest priority for IT administrators this Patch Tuesday. This vulnerability affects all versions of Outlook, including Outlook 2007 running on Windows XP and Vista."
The other two updates address critical vulnerabilities in Office and its ActiveX control web components used not only in the productivity suite, but also in Microsoft's BizTalk Server, Commerce Server, and the Internet Security and Acceleration (ISA) Server.
advertisement
Latest Security Features
Top 10 security predictions for 2009
What will next year hold in the ever-changing world of IT security?
- Top 10 reviews of 2008
- The year in IT news
- Top 10 security stories of 2008
- PCI's Bob Russo: Data loss hurts brand more than a fine
- How to be a successful online fraudster
- What you need to know about ID cards
- Lessons to learn from a year of data breaches
- Q&A: DNS inventor Paul Mockapetris
- Is the password ill-equipped for the modern world?
Latest Security Reviews
EXCLUSIVE - eSoft ThreatWall 250
Rating: 
advertisement
Latest News Videos in Security
Video: Mobile security threats and Mac complacency
PlayPart two: Eugene Kaspersky, chief executive and founder of Kaspersky Lab, talks about the increasing security threats mobile users are facing.
White papers
Want more background on today's hottest IT trends?
Visit IT PRO's white paper library for more on virtualisation, encryption and other topics.
Register for IT PRO
You'll get exclusive member benefits including free white papers, downloads, Webinars and weekly newsletters full of the latest IT PRO news, reviews, insight and expertise.
Social Bookmark this article: What is this?