Microsoft is fixing a flaw in its Excel program that had been exploited by attackers for the past two months as part of its monthly patch cycle.
The bug fixes were released Tuesday in four software updates for Excel, Outlook, Office 2000 and Office’s Web components. Microsoft rates all of the updates as critical, meaning that an attacker could theoretically exploit these flaws in order to hack into a victim’s computer.
In total, 12 vulnerabilities are fixed in the four updates.
Typically Microsoft includes bug fixes for Windows or Internet Explorer in its monthly security updates, and security experts said Tuesday that this is the first time they could remember Microsoft focusing the patches exclusively on Office.
It’s a sign of the times, according to Paul Zimski, senior director of market strategy with Lumension.
Between 2006 and 2007 the number of attacks targeting Office software doubled, he said. “Malicious entities are looking toward Office as a vector for delivering malicious code,” he said. “You can’t really mitigate against Office: organizations can’t block Office attachments and Office documents are generally trusted by users.”
Although all of Tuesday’s updates are critical, system administrators will want to pay special attention to MS08-014, because it fixes a publicly disclosed flaw that hackers have been exploiting for several months now. “This is the long awaited patch for the Excel zero day issue first reported in mid-January 2008,” said Eric Schultze, chief technology officer with Shavlik Technologies, via instant message. “Angst-ridden computer users can now sleep easy knowing that they can now open malicious Excel documents without fear of being hacked.”
“Patch this one as soon as possible if you visit illicit Web sites or open malformed Excel documents on a regular basis,” he added.
This previously disclosed bug affects users of Excel 2000, 2002 and 2003, and Service Pack 2, although customers with Excel 2007 or Excel 2003, Service Pack 3 are not at risk, according to Microsoft.
Another update to watch is the MS08-015 patch, which contains a flaw that could be easily exploited by attackers. By tricking the victim into clicking on a specially crafted “mailto” Web link, an attacker could “install programs; view, change, or delete data; or create new accounts with full user right,” Microsoft said in its security bulletin.
These types of bugs, called URI (Uniform Resource Identifier) handling flaws, have been increasingly studied by hackers and security researchers over the past year, and they have led to a number of effective Web-based attacks.
Schultze said that he would patch the MS08-015 update before all others. That’s because, while users may now be learning to hesitate before opening untrusted Office documents, they generally don’t think twice about clicking on a Web link.
“Clicking on the email link can allow the attacker to run code on your system, assuming that you have Microsoft Outlook,” Schultze said. “There would be very little way to know ahead of time whether or not the mail link was evil. I expect we’ll see exploit code for this very shortly.”
The two other security updates fix critical flaws in Office and in the Office Web Components ActiveX controls used by products such as Office, BizTalk Server, Commerce Server, and the Internet Security and Acceleration (ISA) Server.