Microsoft today issued patches for seven potentially dangerous security flaws in the Microsoft Excel worksheet software and warned that hackers could launch remote code execution attacks if a Windows user opens a specially crafted Excel file.
The Microsoft Excel fixes headline this month's batch of Patch Tuesday updates, which also includes cover for a vulnerability in the Windows Movie Maker and Microsoft Producer 2003 programs.
One of the Excel flaws -- CVE-2010-0263 -- is the first vulnerability to be addressed in the new Open XML file format.
The Excel update (MS10-017) affects all currently supported versions of Microsoft Office Excel. It also affects Office 2004 and Office 2008 for Mac, the Open XML File Format Converter for Mac, supported versions of Excel viewer and SharePoint 2007.
As with most Office vulnerabilities, a user would have to open a specially crafted file in order to be exploited, according to Microsoft's security response team.
Although the second bulletin (MS10-016) lists Microsoft Producer 2003 in the affected products list, the company did not offer a patch for that piece of software.
Here's the explanation from Microsoft's Adrian Stone:
Producer 2003 is a free download with limited distribution. At this time, we are not offering an update for Producer 2003. Our standard approach is to produce updates that can be deployed automatically for all affected products at the same time but Producer 2003 does not offer a means for automatic update. Based on our investigation, we determined that the best way to protect the vast majority of customers was to release an update addressing the components that shipped with Windows. While we continue to investigate Producer 2003, we recommend that customers either uninstall the application or apply an available Microsoft Fix It to disassociate the project file type from the application to add an extra layer of security.
Microsoft also re-released the MS09-033 bulletin to add Virtual Server 2005 to the affected products list.