Microsoft today released one critical fix for Office and
another deemed important targeting a hole in the Windows operating system.
The critical patch, (MS06-012), replaces several prior security updates regarding Excel.
Six vulnerabilities were announced, all centered on one form or another
of malformed file formats.
The update addresses a remote code execution vulnerability in Microsoft Office 2000, Microsoft Office XP and Microsoft Works Suites.
“This update resolves several newly discovered, privately reported
and public vulnerabilities,” according to the company. The vulnerability
could allow attackers to view, change or delete data.
The other patch, (MS06-011), affects users of Windows XP Service Pack 1, Windows Servers 2003 and Windows Server 2003 Itanium.
The vulnerability opens Windows 2003 to the moderate risk of remote
attack while allowing someone with valid login credentials to take over
a networked Windows XP machine.
Mitigating the risks are the need for
attacks to have a valid login to the XP machine, the attacker’s need to
be in supervisory mode and the attack’s scope limited to Windows XP
Service Pack 1, according to Microsoft.
The patch also included an answer to problems some have experienced
when attempting to install the update.
Microsoft also included an advisory recommending Microsoft Windows XP, Windows 98, Windows 98 SE, and
Windows ME users upgrade to the latest Adobe Macromedia Flash Player.
Adobe said attackers could gain control of a computer by a person
loading a malicious SWF file into version 188.8.131.52 or earlier of the
Rounding out the patches, Microsoft released an update of its Windows
Malicious Software Removal Tool in response to Win32/Alcan,
Win32/Badtrans, Win32/Eyeveg, Win32/Magistr and Win32/MyWife.E.
Steve Manzuik, product manager for eEye Digital Security, said
today’s patches included nothing unexpected. The Excel flaws appeared to
have been first reported to Microsoft in November.
Today’s security updates follow a patch earlier this month modifying
how Internet Explorer 6.0 handles ActiveX controls.
Last month Microsoft released more than a half-dozen patches focusing on the Media Player
application and the Office suite. The next patch release will be April 11.