Excel Zero-Day Still Unpatched

Microsoft has issued 11 security bulletins with patches for 17 documented software flaws. But Windows IT administrators are raising alarm bells because Microsoft hasn't issued a fix for a critical—and already exploited—Excel vulnerability.

Microsoft originally planned to ship a dozen bulletins, but at the eleventh hour one of the "critical" advisories was yanked to address concerns about patch quality.

Microsoft officials would not say which product was affected by the missing bulletin, but it's a general assumption in security circles that it was related to a memory corruption issue in Microsoft Excel 2004 and earlier versions.

On Jan. 15, 2008, Microsoft acknowledged the bug in a pre-patch advisory and warned that unknown attackers were using rigged .xls files to launch targeted code-execution attacks.

A spokesperson for the MSRC (Microsoft Security Response Center) confirmed for eWEEK that the Excel zero-day is still unpatched.

According to Jonathan Bitle, director of technical account management at Qualys, the missing Excel update is a "big worry."

"Excel is such a [widely used] product by business users all over the world that it's a big concern to leave a known vulnerability unpatched for an extended period of time. I imagine there will be an uproar from Microsoft customers," Bitle said in an interview.

"I'm really surprised they didn't get this [Excel] fix out the door, since it's known that it's been exploited in the wild," he added.

However, Bitle said Windows administrators almost universally prefer a fully tested, high-quality update instead of a patch that causes applications to break or doesn't fix the underlying vulnerability.

"Anytime there's a potential for a company to have a false sense of security, I think that's worse than leaving it unpatched. The first person to figure out that the patch doesn't work will probably be someone with malicious intent. It's good to err on the side of caution when it comes to patch quality," Bitle said.

Click here to read more about zero-day attacks against Microsoft Excel.

In all, the February Patch Tuesday batch includes six "critical" and five "important" bulletins and provides cover for serious code execution holes in Internet Explorer, Microsoft Word, Microsoft Office, OLE automation, Microsoft Publisher and the WebDAV (Web-based Distributed Authoring and Versioning) Mini-Redirector. The cumulative IE update fixes a total of four vulnerabilities and is rated critical (remote code execution) for all supported versions of the browser, including the newest Internet Explorer 7 on Windows Vista.

Most of the "critical" updates address flaws in widely deployed products. For example, the Microsoft Word and Microsoft Publisher applications, which fall under the Office umbrella, both get a major security refresh to cover multiple vulnerabilities.

"While the batch of critical vulnerabilities all require some sort of user interaction to exploit, the interaction can be as simple as visiting a trusted Web site that has first been exploited by an attacker," said Ben Greenbaum, senior research manager for Symantec Security Response.

Greenbaum said the client-side bugs can be exploited to distribute malware through trusted sites, e-mail attachments or links embedded in instant messaging conversations.

"These vulnerabilities underscore the importance of having a full security suite to protect consumers and enterprises from being exploited, since they can no longer only rely on traditional best practices alone, such as avoiding unknown or unexpected e-mail attachments or following Web links from unknown sources," Greenbaum said.