Microsoft has plugged a number of security holes on this month’s Patch Tuesday, including much-anticipated fixes for a slew of vulnerabilities affecting Microsoft Office Excel.
The company issued four security bulletins this month, each covering vulnerabilities that can be exploited remotely and are rated “critical”-Microsoft’s highest threat rating.
According to Microsoft, there are a total of seven Excel vulnerabilities, all of which could be exploited if a user opens a specially crafted file. The vulnerabilities lie in how Excel handles data validation records, file imports, style record data, malformed formulas and conditional formatting values, as well as how it handles rich text validation records when loading application data into memory and macros when opening specially-crafted Excel files. A successful exploit would allow the attacker to take complete control of an affected system, company officials wrote in the bulletin.
Microsoft warned users in January that hackers were launching limited, targeted attacks exploiting a zero-day bug in Microsoft Office Excel 2003 Service Pack 2, Microsoft Office Excel Viewer 2003, Microsoft Office Excel 2002, Microsoft Office Excel 2000 and Microsoft Excel 2004 for Mac.
In addition to the Excel issues, the company also addressed vulnerabilities affecting Microsoft Office Web Components. Vulnerabilities exist in the way Microsoft Office Web Components manages memory resources when parsing specially crafted URLs and manages memory resources, according to the bulletin. In both cases, an attacker could exploit the vulnerability by constructing a specially crafted Web page. When viewed by the user, the vulnerability could allow for remote code execution.
Ben Greenbaum, a senior research manager at Symantec Security Response, counted the threat posed by the Microsoft Office Web Components vulnerabilities as the most significant issue addressed by the patches.
“All of these security bulletins are serious, but the Microsoft Office Web Components one stands out because these ActiveX components are widely distributed and relatively easy to exploit,” Greenbaum said in a statement. “We’ve observed attackers continuing to target Web plug-ins in their quest to quickly and quietly install malicious code onto users’ computers.”
The security bulletins also included patches on vulnerabilities affecting Microsoft Outlook that could be exploited by passing a specially crafted mailto URI, as well as a cell parsing memory corruption vulnerability and a vulnerability in the way MS Office processes malformed Office files. The Microsoft Office vulnerabilities affect Microsoft Office 2000 Service Pack 3, Microsoft Office XP Service Pack 3, Microsoft Office 2003 Service Pack 2, Microsoft Office Excel Viewer 2003, Microsoft Office Excel Viewer 2003 Service Pack 3 and Microsoft Office 2004 for Mac, according to the bulletin.