Microsoft on Tuesday issued a series of security patches to fix multiple problems in its Windows operating system and Microsoft Office productivity suite.
This is one of the more significant “patch Tuesdays” in terms of number and severity of included fixes, according to Ed Moyle, a manager in CTG’s Information Security Services Practice. The number of vulnerabilities, he noted, is significant this month.
“Microsoft has assigned the patches a rating of ‘critical.’ I agree with the critical designation as a number of the fixes remediate problems that allow remote code execution,” Moyle told TechNewsWorld.
Engaging Excel
Five of the six vulnerabilities in Office are related to the Excel spreadsheet software. The sixth problem affects some versions of Word, Outlook and PowerPoint. Microsoft Office 2000, 2003, XP and Microsoft Works Suites are affected as well as Microsoft Office 2004 and Office X for Mac.
With vulnerable versions of Office, if a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of the client workstation, according to Microsoft Security Bulletin MS06-012. An attacker could then install programs, view, change, or delete data, or create new accounts with full user rights.
Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. The malicious code writer would have to entice the user to open a malformed Excel file, however, to infect the PC. Microsoft called the vulnerability critical and suggested that customers seek the update immediately.
Elevated Privileges
On the Microsoft Windows platform, a permissive Windows Services vulnerability could allow “elevation of privilege,” according to Microsoft Security Bulletin MS06-011. Microsoft classifies this vulnerability as “important.”
The Windows vulnerability affects Windows XP Service Pack 1 and Windows Server 2003. Much like the Office vulnerability, this weak spot could allow an attacker to take complete control of the affected system.
Specifically, a vulnerability exists where the permissions are set by default to a level that may allow a low-privileged user to change properties associated with the service. For Windows 2003, permissions on the identified services are set to a level that may allow a user that belongs to the network configuration operators group to change properties associated with the service.
No Complacency
One thing that is important to point out, Moyle noted, is that the MS06-012 update is a cumulative update, meaning, we’ve seen a number of these issues before and have, hopefully, been patching our machines against them over the past few months.
Just because we’ve seen them before doesn’t make it any less important for us to install the updates, Moyle said, because issues with Microsoft Office, such as those outlined in the MS06-012 advisory, are attractive targets for malware authors.
“Mass-mailing worms will often leverage issues in Office as part of their method of propagation. As such, I strongly advise that these patches be installed as soon as possible — particularly within the enterprise where the e-mailing of Office documents is more commonplace and expected,” Moyle said.