Microsoft released four critical patches for its Office productivity suite on Patch Tuesday – the first time the software giant has focused entirely on one product in its monthly series of updates.
Microsoft patches 11 holes in Office
Of the 11 vulnerabilities contained in the four patches, nine of them addressed Excel, including a zero-day exploit that has been around since January.
The Office patches, experts say, also present unique challenges for IT in that users have to have the original installation media to install the patches. That media could be on CD-ROM, stored on the user's hard drive or on a network share. Regardless, to install the patches, IT will have to make that media available for every desktop.
"Microsoft originally did that for licence enforcement, but as we see vulnerabilities increase around Office it is something that is problematic for patching," say. Paul Zimski, senior director of market strategy at Lumension.
The problem could get worse as the SANS Institute listed 'office productivity suites' as one of its Top 20 security risks in 2007. Microsoft Office dominates that category of software and critical vulnerabilities on the platform have risen from fewer than three in 2003 to nearly 24 in 2007, according to SANS.
In addition, Office is a major focal point of Microsoft's software-plus-services initiative, especially as it relates to connecting users via collaboration.
While Excel contained the bulk of the flaws, the most serious issue may be MS08-015, which fixes a vulnerability that could allow a hacker to read existing email on a user's machine and hijack all subsequent email.
The flaw works off a hyperlink to an email address. The link can appear on a web page or within another email. When the user clicks on the email address link, they see a familiar operation - a new message opening on their desktop - but in the background code is simultaneously being executed on the user's system.
In addition, the command used to open the mail message - called 'MailTo' - can be hidden behind a regular looking web page hyperlink in order to trick the user to click on the link. When the user clicks they would be confused to see a new mail message instead of a web page, but the damage would already be done.
Microsoft said in its MS08-015 bulletin that the malicious code could allow the attacker to "potentially redirect all future messages to an attacker controlled location".
"We've never seen that kind of an attack before so users are not knowledgeable," says Eric Schultze, CTO of Shavlik Technologies. "Because this is a brand-new attack vector, I see it as a lot more dangerous."
Schultze says the flaw is not currently being exploited publicly but that it is likely only a matter of time before phishing and other malicious site begin to use it.
The vulnerability effects Microsoft Office Outlook 2000 Service Pack 3, 2002 Service Pack 3, 2003 Service Pack 2 and 3 and 2007.
Microsoft also issued MS08-014, which fixes the zero-day exploit in Excel first discovered in January. Users only need to open an Excel document to get hacked. The vulnerability allows the hacker to take over the user's machine.
The flaw is listed as critical for Office 2000, which automatically opens an Excel document if one appears on a web page. Office XP and 2003 show the users a prompt asking them if they want to open the document. The patch is listed as 'important' on those platforms and also on Office 2008 for Mac.
MS08-016 is similar in that if a user opens an Excel document the attack is launched, but the 016 patch is not being publicly exploited.
For more security news, reviews and tutorials, see Security Advisor