Microsoft delivers 12 patches to plug Office; 7 for Excel flaws

Microsoft delivers 12 patches to plug Office; 7 for Excel flaws

Summary: Microsoft on Tuesday delivered several patches to fix critical vulnerabilities in Office including a well-publicized Excel flaw.In the first bulletin (MS08-014), Microsoft addressed "several privately reported and publicly reported vulnerabilities in Microsoft Office Excel that could allow remote code execution if a user opens a specially crafted Excel file.

SHARE:

Microsoft on Tuesday delivered several patches to fix critical vulnerabilities in Office including a well-publicized Excel flaw.

In the first bulletin (MS08-014), Microsoft addressed "several privately reported and publicly reported vulnerabilities in Microsoft Office Excel that could allow remote code execution if a user opens a specially crafted Excel file." This vulnerability allowed a remote attacker to take control of a system, install, view and change data and create new accounts. The CVE numbers for these vulnerabilities include:

  • Excel Data Validation Record Vulnerability (CVE-2008-0111)
  • Excel File Import Vulnerability (CVE-2008-0112)
  • Excel Style Record Vulnerability (CVE-2008-0114)
  • Excel Formula Parsing Vulnerability (CVE-2008-0115)
  • Excel Rich Text Validation Vulnerability (CVE-2008-0116)
  • Excel Conditional Formatting Vulnerability (CVE-2008-0117)
  • Macro Validation Vulnerability (CVE-2008-0081)

These Excel flaws were discovered in January and left unpatched last month.

The list of folks finding these Excel vulnerabilities is long. Mike Scott of SAIC, Matt Richard of VeriSign, Greg MacManus of iDefense Labs, Yoshiya Sasaki of JFE Systems, Bing Liu of Fortinet, Cody Pierce of TippingPoint DVLabs and Moti Joseph and Dan Hubbard of Websense Security Labs all had a hand in pointing out the various vulnerabilities.

According to Microsoft the update is critical for Microsoft Office Excel 2000 Service Pack 3 and rated Important for Excel 2002 Service Pack 3, Excel 2003 Service Pack 2, Excel Viewer 2003, Excel 2007, Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats, Office 2004 for Mac, and Office 2008 for Mac.

Among the other patches:

CVE-2008-0110: Microsoft issued a patch to plug a vulnerability in Outlook. According to Microsoft's description:

The vulnerability could allow remote code execution if Outlook is passed a specially crafted mailto URI. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. This vulnerability is not exploitable by simply viewing an e-mail through the Outlook preview pane.

CVE-2008-0113 (Microsoft Office Cell Parsing Memory Corruption Vulnerability) and CVE-2008-0118 (Microsoft Office Memory Corruption Vulnerability): These patches plug two privately reported vulnerabilities in Microsoft Office that could allow remote code execution if a user opens a malformed Office file. These flaws are critical for Microsoft Office 2000 and rated Important for supported editions of Microsoft Office XP, Microsoft Office 2003 Service Pack 2, Microsoft Excel Viewer 2003 and Microsoft Excel Viewer 2003 Service Pack 3, and Microsoft Office 2004 for Mac.

These updates are critical for Microsoft Office Outlook 2000 Service Pack 3, Outlook 2002 Service Pack 3, Outlook 2003 Service Pack 2 and Service Pack 3, and Outlook 2007. MacManus of iDefense Labs reported the Outlook URI Vulnerability. Arnaud Dovi, working with Zero Day Initiative, discovered CVE-2008-0113 and an anonymous tipster reported CVE-208-0118.

CVE-2006-4695 (Office Web Components URL Parsing Vulnerability) and CVE-2007-1201 (Office Web Components DataSource Vulnerability): Microsoft patched two privately reported vulnerabilities in Microsoft Office Web Components. According to Microsoft "these vulnerabilities could allow remote code execution if a user viewed a specially crafted Web page." The update is critical for implementations of Microsoft Office Web Components 2000 on Microsoft Office 2000 Service Pack 3, Microsoft Office XP Service Pack 3, Visual Studio .NET 2002 Service Pack 1, Visual Studio .NET 2003 Service Pack 1, Microsoft BizTalk Server 2000 and Microsoft BizTalk Server 2002, Microsoft Commerce Server 2000, and Internet Security and Acceleration Server 2000 Service Pack 2.

Chris Ries of VigilantMinds Inc., Xiao Hui of NCNIPC and Yuval Ben-Itzhak of Finjan reported the vulnerabilities.

Topics: Software, Collaboration, Microsoft, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

12 comments
Log in or register to join the discussion
  • Now we just have to wait and see

    If the patches accomplish everything that they are supposed to or not.
    Shelendrea
    • They'll Accomplish A Lot

      They'll open up more holes and vulnerabilities..it's par for the course.
      itanalyst2@...
      • True enough

        But it might be nice to see them patch something every once in awhile without having to patch the patch that patched the patch that patched the last patch that didn't fix anything.
        Shelendrea
        • Errr...What?

          *POP*!!!
          itanalyst2@...
          • Go along with the ride

            you're both on the same train.
            Boot_Agnostic
  • Wyitt Hopper .....who done you bother?

    Don't feel badly, anyone. I could have activated a beneficial copy of Office2003 for this years software challenge and all fourty-one pieces of script ;including two, did I say <.pdb> bundles for Vista or Seven, but Nooooo! Intrnet Explorer took a dump on me! Lock out- Mr. Libby@{823487...{cabinet.dll}; is on suspension. "And It's Live From Bangalore, It's Saturdaynight Live!"
    rtirman37@...
  • RE: Microsoft delivers 12 patches to plug Office; 7 for Excel flaws

    I'll bet they still haven't fixed Word's famous and nasty printing-pagination error (page 5 of 5 instead of page 5 of [number of pages]) that's been there since at least Word 98.
    Mandolinface
    • The pagination error seems tp resurface

      after every major release.
      the page 1 0f 1, page 2 of 2, page 3 0f 3 etc for every page in the document - usually fixed in the next Service Pack. But it does make you wonder which code base they use to start the new release. Excel just suffered the Leap Year issue this year, how does any mature product suffer that?
      deaf_e_kate
  • RE: Microsoft delivers 12 patches to plug Office; 7 for Excel flaws

    Well, all I can say is Gag Me With a Spoon! Microsoft releases the buggiest stuff ever.
    Steveg_z
  • WRONG!

    No flaws, patches, ....!
    All enhancements!





    http://fakesteveballmer.blogspot.com
    StvBallmer
    • Not even in the same league as Mike Cox

      C'mon, you can do better!
      ThePrairiePrankster
  • RE: Microsoft delivers 12 patches to plug Office; 7 for Excel flaws

    Before anyone gets excited, I just installed my beloved PCLinuxos on a new machine and post install updates numbered over 600. Scarcely a week goes by without an update of some kind. I like that, an OS that is continually improving. Windows has some updates. Big deal. Not much of a story.
    richdave