RealTime IT News

Microsoft Office, Windows Patched

Microsoft today released one critical fix for Office and another deemed important targeting a hole in the Windows operating system.

The critical patch, (MS06-012), replaces several prior security updates regarding Excel. Six vulnerabilities were announced, all centered on one form or another of malformed file formats.

The update addresses a remote code execution vulnerability in Microsoft Office 2000, Microsoft Office XP and Microsoft Works Suites.

"This update resolves several newly discovered, privately reported and public vulnerabilities," according to the company. The vulnerability could allow attackers to view, change or delete data.

The other patch, (MS06-011), affects users of Windows XP Service Pack 1, Windows Servers 2003 and Windows Server 2003 Itanium.

The vulnerability opens Windows 2003 to the moderate risk of remote attack while allowing someone with valid login credentials to take over a networked Windows XP machine.

Mitigating the risks are the need for attacks to have a valid login to the XP machine, the attacker's need to be in supervisory mode and the attack's scope limited to Windows XP Service Pack 1, according to Microsoft.

The patch also included an answer to problems some have experienced when attempting to install the update.

Microsoft also included an advisory recommending Microsoft Windows XP, Windows 98, Windows 98 SE, and Windows ME users upgrade to the latest Adobe Macromedia Flash Player.

Adobe said attackers could gain control of a computer by a person loading a malicious SWF file into version 8.0.22.0 or earlier of the player.

Rounding out the patches, Microsoft released an update of its Windows Malicious Software Removal Tool in response to Win32/Alcan, Win32/Badtrans, Win32/Eyeveg, Win32/Magistr and Win32/MyWife.E.

Steve Manzuik, product manager for eEye Digital Security, said today's patches included nothing unexpected. The Excel flaws appeared to have been first reported to Microsoft in November.

Today's security updates follow a patch earlier this month modifying how Internet Explorer 6.0 handles ActiveX controls.

Last month Microsoft released more than a half-dozen patches focusing on the Media Player application and the Office suite. The next patch release will be April 11.