On Patch Tuesday, Microsoft fixed 12 vulnerabilities in four security bulletins. Every one of them fixes bugs in Microsoft Office.
Included is a fix for the zero-day remote-code vulnerability in Excel. The exploit was made public in January and is corrected by the MS08-014 patch that addresses seven vulnerabilities in Excel. The other patches, MS08-015, MS08-016 and MS08-017, address issues in Outlook, Office and Office Web Components, respectively.
All the security bulletins are serious, but the Office Web Components patch stands out because these ActiveX components are widely distributed and relatively easy to exploit, according to Ben Greenbaum, senior research manager for Symantec Security Response. Symantec has observed attackers continuing to target Web plug-ins to quickly and quietly install malicious code.
"While browser plug-ins of all kinds represent an increasingly attractive vector for attackers, the security of other nonnetwork-facing applications is still a relevant issue as well," Greenbaum said. "With seven vulnerabilities being addressed in the Microsoft Excel patch, it's clear that users need to keep all software patched and up to date. Additionally, full-featured security software can protect users from attacks against some vulnerabilities well in advance of the availability of patches."
Because all four of the patches affect Microsoft Office, these patches cannot be ignored or delayed, urged Don Leatham, director of solutions and strategy at Lumension Security. The broad install base of Microsoft Office, he said, makes Office vulnerabilities an enticing target for hackers and cybercriminals.
"Microsoft Outlook is the dominant e-mail client in use today, and e-mail is also one of the most common attack vehicles used by hackers against organizations," Leatham said. "This will make Bulletin 2, a critical, remote-code-execution vulnerability which affects virtually all versions of Outlook, the biggest priority for IT administrators. This vulnerability affects all versions of Outlook, including Outlook 2007 running on Windows XP and Vista."
Where's the Missing Patch?
Sheldon Malm, director of vulnerability research for nCircle, a network-security firm that works with companies like Visa, US Cellular and Archer Daniels Midland, sees all four patches as equally important because they address client-side vulnerabilities. Of the 17 advisories so far in 2008, nine affected client-side technologies. That's not counting the 12 in Tuesday's release.
"My question is, where did the VBScript/JScript patch go that was announced and then pulled from the February updates?" Malm asked. "Attackers have had more than a month to uncover the vulnerability and write exploits. If there isn't an exploit in the wild on this one yet, I'm sure we'll see it before too long. This, perhaps, defines the one flaw in the advanced notification system -- we inform hackers of vulnerabilities of which they may not be aware and give them ample time to exploit."
Understanding the Attack Methods
The usual attack method targeting client-side applications is to entice an end user to open an infected attachment, or click on a hyperlink that leads to an infected attachment, according to Amol Sarwate, manager of the vulnerability research lab at Qualys. When the attachment is activated, systems become vulnerable to a remote system takeover.
"These attacks are especially nefarious as there is no simple traditional security approach, such as blocking an incoming traffic port, that would be able to detect and prevent its delivery to the intended recipient," Sarwate said. "Rather, prevention relies heavily on end-user education and regular system patching."