Microsoft delivers 12 patches to plug Office; 7 for Excel flaws

Microsoft on Tuesday delivered several patches to fix critical vulnerabilities in Office including a well-publicized Excel flaw.

In the first bulletin (MS08-014), Microsoft addressed "several privately reported and publicly reported vulnerabilities in Microsoft Office Excel that could allow remote code execution if a user opens a specially crafted Excel file." This vulnerability allowed a remote attacker to take control of a system, install, view and change data and create new accounts. The CVE numbers for these vulnerabilities include:

• Excel Data Validation Record Vulnerability (CVE-2008-0111)
• Excel File Import Vulnerability (CVE-2008-0112)
• Excel Style Record Vulnerability (CVE-2008-0114)
• Excel Formula Parsing Vulnerability (CVE-2008-0115)
• Excel Rich Text Validation Vulnerability (CVE-2008-0116)
• Excel Conditional Formatting Vulnerability (CVE-2008-0117)
• Macro Validation Vulnerability (CVE-2008-0081)

These Excel flaws were discovered in January and left unpatched last month.

The list of folks finding these Excel vulnerabilities is long. Mike Scott of SAIC, Matt Richard of VeriSign, Greg MacManus of iDefense Labs, Yoshiya Sasaki of JFE Systems, Bing Liu of Fortinet, Cody Pierce of TippingPoint DVLabs and Moti Joseph and Dan Hubbard of Websense Security Labs all had a hand in pointing out the various vulnerabilities.

According to Microsoft the update is critical for Microsoft Office Excel 2000 Service Pack 3 and rated Important for Excel 2002 Service Pack 3, Excel 2003 Service Pack 2, Excel Viewer 2003, Excel 2007, Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats, Office 2004 for Mac, and Office 2008 for Mac.

Among the other patches:

CVE-2008-0110:Microsoft issued a patch to plug a vulnerability in Outlook. According to Microsoft's description:

The vulnerability could allow remote code execution if Outlook is passed a specially crafted mailto URI. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. This vulnerability is not exploitable by simply viewing an e-mail through the Outlook preview pane.

CVE-2008-0113 (Microsoft Office Cell Parsing Memory Corruption Vulnerability) and CVE-2008-0118 (Microsoft Office Memory Corruption Vulnerability): These patches plug two privately reported vulnerabilities in Microsoft Office that could allow remote code execution if a user opens a malformed Office file. These flaws are critical for Microsoft Office 2000 and rated Important for supported editions of Microsoft Office XP, Microsoft Office 2003 Service Pack 2, Microsoft Excel Viewer 2003 and Microsoft Excel Viewer 2003 Service Pack 3, and Microsoft Office 2004 for Mac.

These updates are critical for Microsoft Office Outlook 2000 Service Pack 3, Outlook 2002 Service Pack 3, Outlook 2003 Service Pack 2 and Service Pack 3, and Outlook 2007. MacManus of iDefense Labs reported the Outlook URI Vulnerability. Arnaud Dovi, working with Zero Day Initiative, discovered CVE-2008-0113 and an anonymous tipster reported CVE-208-0118.

CVE-2006-4695 (Office Web Components URL Parsing Vulnerability) and CVE-2007-1201 (Office Web Components DataSource Vulnerability): Microsoft patched two privately reported vulnerabilities in Microsoft Office Web Components. According to Microsoft "these vulnerabilities could allow remote code execution if a user viewed a specially crafted Web page." The update is critical for implementations of Microsoft Office Web Components 2000 on Microsoft Office 2000 Service Pack 3, Microsoft Office XP Service Pack 3, Visual Studio .NET 2002 Service Pack 1, Visual Studio .NET 2003 Service Pack 1, Microsoft BizTalk Server 2000 and Microsoft BizTalk Server 2002, Microsoft Commerce Server 2000, and Internet Security and Acceleration Server 2000 Service Pack 2.

Chris Ries of VigilantMinds Inc., Xiao Hui of NCNIPC and Yuval Ben-Itzhak of Finjan reported the vulnerabilities.