Excel Zero-Day Still Unpatched
Patch Tuesday includes 11 security bulletins with patches for 17 documented software flaws, but none for a Microsoft Excel zero-day that is under attack.Microsoft has issued 11 security bulletins with patches for 17 documented software flaws. But Windows IT administrators are raising alarm bells because Microsoft hasn't issued a fix for a critical-and already exploited-Excel vulnerability. Microsoft originally planned to ship a dozen bulletins, but at the eleventh hour one of the "critical" advisories was yanked to address concerns about patch quality.
Microsoft officials would not say which product was affected by the missing bulletin, but it's a general assumption in security circles that it was related to a memory corruption issue in Microsoft Excel 2004 and earlier versions.
On Jan. 15, 2008, Microsoft acknowledged the bug in a pre-patch advisory and warned that unknown attackers were using rigged .xls files to launch targeted code-execution attacks.
A spokesperson for the MSRC (Microsoft Security Response Center) confirmed for eWEEK that the Excel zero-day is still unpatched.
According to Jonathan Bitle, director of technical account management at Qualys, the missing Excel update is a "big worry."
"Excel is such a [widely used] product by business users all over the world that it's a big concern to leave a known vulnerability unpatched for an extended period of time. I imagine there will be an uproar from Microsoft customers," Bitle said in an interview.
"I'm really surprised they didn't get this [Excel] fix out the door, since it's known that it's been exploited in the wild," he added.
However, Bitle said Windows administrators almost universally prefer a fully tested, high-quality update instead of a patch that causes applications to break or doesn't fix the underlying vulnerability.
"Anytime there's a potential for a company to have a false sense of security, I think that's worse than leaving it unpatched. The first person to figure out that the patch doesn't work will probably be someone with malicious intent. It's good to err on the side of caution when it comes to patch quality," Bitle said.
Greenbaum said the client-side bugs can be exploited to distribute malware through trusted sites, e-mail attachments or links embedded in instant messaging conversations.
"These vulnerabilities underscore the importance of having a full security suite to protect consumers and enterprises from being exploited, since they can no longer only rely on traditional best practices alone, such as avoiding unknown or unexpected e-mail attachments or following Web links from unknown sources," Greenbaum said.