Microsoft on Tuesday fixed 12 vulnerabilities in four security bulletins, all of which affect Microsoft Office.
The fact that all the vulnerabilities found reside in Microsoft Office, said Eric Schultze, chief technology officer of Shavlik Technologies, supports the current belief that client-side vulnerabilities are more likely to bear fruit for hackers than the server side vulnerabilities.
MS08-014 (maximum severity of Critical) addresses a zero-day vulnerability in Microsoft Office Excel that Microsoft acknowledged in January. It could allow an attacker to take over an affected system if the victim opens a maliciously crafted Excel file.
Amol Sarwate, manager of the vulnerability research lab at Qualys, said that macro vulnerabilities in Excel have been a recurring problem for about a decade. While exploits for the Excel flaw have been spotted in the wild, he said that damage appears to be relatively limited. He also said it’s difficult to be sure about that because not all damage arising from exploitation of the vulnerability has been publicized.
The usual method of exploiting this kind of flaw is enticing a user to open a file. “This is a concern because there’s no simple firewall adjustment that can address this,” Sarwate said.
MS08-015 (maximum severity of Critical) addresses a new, privately reported vulnerability in Microsoft Office Outlook. The flaw could allow an attacker to read and re-route a user’s e-mail messages.
Schultze considers this vulnerability the most interesting of this month’s crop. “This is the first one I’d patch because it’s exploiting something that’s never been exploited before,” he said.
MS08-015 allows an attacker to execute remote code through Outlook if the victim clicks on a maliciously crafted “mailto:” link. “Users have never had to watch out to malicious e-mail links before,” said Schultze. “I think we’ll see this get exploited quite a bit.”
MS08-016 (maximum severity of Critical) repairs two new, privately reported vulnerabilities in Microsoft Office 2000. The vulnerabilities could allow an attacker to subvert an affected system.
MS08-017 (maximum severity of Critical) fixes two new, privately reported vulnerabilities in Microsoft Office Web Components. As above, these flaws could allow attacker to take control of an affected system.
The four bulletins affect various versions of Microsoft Office. In the case of MS08-014, Mac versions of Office 2004 and Office 2008 are also affected.
Andrew Storms, director of security operations at nCircle, said this month’s patch cycle represented a “shining example” of mitigating Microsoft Office vulnerabilities. He noted that Office users without administrative privileges won’t be affected by these flaws as much as users running with full privileges.
Storms also said that Microsoft’s newer Office apps appear to be less vulnerable than its older ones. “When the support line for Office 2000 and Office 2003 drop off the board, we’re probably going to see a pretty significant reduction in Office vulnerability,” he said.
“Microsoft has been doing something right,” said Schultze. “Over time, the apps are getting better and stronger. It shows a trend toward Microsoft getting better at this.”