Patch Tuesday - Microsoft targets Office flaws

By Isabelle Chaize

Microsoft’s monthly release of patches went out yesterday and will focus the attention of hackers on the productivity suite, with all of the four patches released being aimed at Office. 12 vulnerabilities in Office are targeted, as well as four critical updates.

It is the first time Microsoft has released fixes only for Office, according to some security experts. This could alert hackers to the potential for exlpoitation. Alan Bentley, regional vice-president of Lumension, a security vendor, said ‘as all four of the patches affect Microsoft Office, these patches cannot be ignored or delayed. The broad install base of Office makes its vulnerabilities an enticing target for hackers and cyber criminals.’

Hackers will potentially be able to use the flaws identified in the March patches to gain control of an unprotected computer system.

The patches include MS08-015, which addresses a flaw in Outlook which can be exploited by tricking users into clicking on a ‘mailto’ link, specially created by hackers. According to Microsoft, once the link has been clicked on, the hackers have the capability to ‘install programs; view, change, or delete data; or create new accounts with full user rights’.

This method of attack is not a new one - it has been around for about a year, and capitalises on a flaw in the webmail client’s URIs (Uniform Resource Identifiers).

Bentley said that ‘Microsoft Outlook is the dominant email client in use today and email is also one of the most common attach vehicles used by hackers against organisations. This makes MS08-015, a critical remote-code-execution vulnerability that affects virtually all versions of Outlook, the biggest priority for IT administrators this Patch Tuesday. This vulnerability affects all versions of Outlook, including Outlook 2007 running on Windows XP and Vista’.

Another patch, MS08-014, also addresses a weakness that has been in the wild for a couple of months. The flaw is in Excel, and tries to get users to click on malicious .exe files in order to infect computers with spyware and rootkits. Versions of Excel affected by the flaw include Versions 2000, 2002 and 2003 and Service Pack 2, although Excel 2007, Excel 2003 and Service Pack 3 were not at risk, according to Microsoft.

The other two updates fix critical vulnerabilities in Office and the ActiveX web component. This is used not just by Office but also by Microsoft’s BizTalk Server, Commerce Server and the Internet Security and Acceleration Server.