Microsoft delivers 11 patches, 6 critical; Excel flaw left unpatched

Microsoft delivers 11 patches, 6 critical; Excel flaw left unpatched

Summary: Updated: Microsoft delivered 11 patches on Tuesday addressing 17 vulnerabilities. Six updates fix critical flaws and five address important vulnerabilities, but an already exploited Excel zero day was left unpatched.

SHARE:

Updated: Microsoft delivered 11 patches on Tuesday addressing 17 vulnerabilities. Six updates fix critical flaws and five address important vulnerabilities, but an already exploited Excel zero day was left unpatched.

Microsoft's advisory last week noted 12 patches fixing 7 critical vulnerabilities. One critical Windows vulnerability was cut due to quality issues.

A Microsoft spokesman did confirm that this batch of patches didn't address the Excel flaw that was reported last month. On Jan. 16, the Microsoft Security Response Center confirmed ongoing attacks against Excel. Microsoft at the time recommended that users either run files through a tool that strips out exploit code or block Office 2003 and earlier formats except for those from trusted locations.

Given that Excel resides in every enterprise leaving the flaw unpatched may raise some hackles. A Microsoft spokesman indicated that the Excel patch wasn't ready for prime time. Here's Microsoft's statement sent to me:

Microsoft is always investigating potential and existing vulnerabilities in an effort to help protect our customers. Creating security updates that effectively fix vulnerabilities is an extensive process involving a series of sequential steps. There are many factors that impact the length of time between the discovery of a vulnerability and the release of a security update, and every vulnerability presents its own unique challenges. When a potential vulnerability is reported, designated product specific security experts investigate the scope and impact of a threat on the affected product. Once the MSRC knows the extent and the severity of the vulnerability, they work to develop an update for every supported version affected. Once the update is built, it must be tested with the different operating systems and applications it affects, then localized for many markets and languages across the globe. In some instances, multiple vendors are affected by the same or similar issue, which requires a coordinated release.

Among the more notable February patches for critical flaws:

MS08-008: Microsoft addressed a vulnerability in Vista's OLE automation that could allow for a remote code execution. Microsoft said: This security update addresses the vulnerability by adding a check on memory requests within OLE Automation. Affected software includes Windows 2000, Windows XP, Windows Vista, Microsoft Office 2004 for the Mac and Visual Basic 6. MS08-009: This patch addressed a vulnerability in Word that could allow a remote code execution. Microsoft noted: "An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights." Affected software included Office 2000, Office 2003 and Office Word Viewer 2003.

MS08-007: Another XP and Vista patch. This patch fixes the WebDAV Mini-Redirector. In a nutshell, it's another avenue to take control of a system, install programs and do other things.

MS08-010: This update fixes multiple flaws in IE that allow for remote code executions. Microsoft said: "The security update addresses these vulnerabilities by modifying the way that Internet Explorer handles HTML and validates data, as well as by setting the kill bit for an ActiveX control." Stray thought: You could just kill ActiveX. MS08-012: This update resolves a remote code execution flaw in Microsoft Office Publisher. Affects Microsoft Office Publisher 2000; supported releases of Microsoft Office Publisher 2002; and supported editions of Microsoft Office Publisher 2003 Service Pack 2.

MS08-013: Microsoft's update here covers a remote code execution vulnerability in Office 2000. It's an important update for Microsoft Office XP, Microsoft Office 2003 and Microsoft Office 2004 for Mac.

Topics: Software, Collaboration, Microsoft, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

61 comments
Log in or register to join the discussion
  • Conflicting Title

    The headline had me worried that Microsoft wasn't going to release the patches.
    nucrash
    • me to

      nt
      NoThomas
      • duly noted

        I meant drops as in "put in a dropbox" type way, but see your point. I changed to "delivers" when I updated that excel nugget
        Larry Dignan
        • Thank you

          I am sure many Linux Zealots mis reported this wrong in hopes that Microsoft messed up.
          nucrash
          • RE: Thank you

            >>>I am sure many Linux Zealots mis reported this wrong in hopes that Microsoft messed up.<<<

            And you can always count on at least one idiot to try and start some s__t!
            richdave
          • Where's Linux Geek when ya need the pot stirred?

            n/t
            Wolfie2K3
          • RE: Where's Linux Geek when ya need the pot stirred?

            All we need. A flame war about a non story
            joe6pack_z
        • Succinct

          ...and to the point. Nice post!

          I applied all of the patches shown, via the links in the post - in less than 5 minutes.

          Cheers L.D.

          :^)
          thx-1138_
    • Agree

      You're right: Patches are "released", "posted", or "provided".

      Software versions can be "dropped", but that usually implies an internal development baseline -- not for public use.

      I had to read the headline twice to get the context of what they meant by "drops".
      dbucciar
      • Wow!

        That was a quick response to the concerns about the title... thanks!
        dbucciar
    • Title is still misleading....

      [i]Microsoft [b]delivers[/b] 11 patches...[/i]

      How is Microsoft [b]delivering[/b] these patches? Snail mail? FedEx Ground? Air mail? (I hava wireless). Do I have to tip the delivery driver like when I order pizza? It would be so much easier if they would just [b]drop[/b] them like they always do.
      Just having some fun, folks. No need to throw rocks. ;-)
      MGP2
      • Picky Picky

        Deliver means that it is available. Dropping could be interpreted as "Dropped the ball" or "Dropped work on them"

        Deliver doesn't have to be a tangible item.
        nucrash
        • Did you miss something?

          Either you failed to read the entire post or you chose to ignore the last line just so you could throw a rock. Once again, the last line, cut & pasted directly from my original stated:

          Just having some fun, folks. No need to throw rocks. ;-)
          MGP2
          • Too busy to pay attention

            Let ye who cast stones be without sin.

            Or did I mess that up.
            nucrash
  • Did these make it to SP1? Prolly not?

    Do we install these before or after SP1? And...are there 11 or 17 vulnerabilities...6 + 5 = 11....
    Techboy_z
  • RE: Microsoft drops 11 patches, 6 critical

    "Six updates fix critical flaws" is a world-class tongue twister!
    jenny.howard@...
    • Already Fixed in SP3?

      I am running XP SP3 RC1 and according to Microsoft Update I only needed the Malicious Software Removal Tool (KB890830), Update for Outlook Junk Email Filter 2007 (KB944965), and Update for Windows Live Sign-in Assistant (KB947449). I run Office 2007 so a few wouldn't apply anyway seemingly; but I notice a couple of fixes pertaining to XP are missing. I take it they were included in SP3? If that were the case - I downloaded this Service Pack in December and installed it on my other computer to test it over Xmas before installing it on this one - Why have M$ been holding fixes back until now? Why didn't they release them on January's Patch Tuesday?
      Shazzalive
  • Curious about the IE7 vulnerabilities on Vista

    According to the details the code will be executed with the same privileges as the logged on user. Does this mean Protected Mode is bypassed by these vulnerabilities?
    ye
    • Good question

      I sent to Microsoft's PR guy. Will let you know what I hear. The patch was all encompassing for IE.
      Larry Dignan
      • when you do this

        could you confirm that the Word fix now means we don't have to use the convert-to-XML-Word2007 on incoming Word files?

        Or was it a less sweeping fix than this?

        It would be good to know what's coming in the same sense, for the Excel fix bypassed for today.

        Thank you, Larry, and regards.
        Narr vi