Microsoft Patches Multiple Excel Flaws
Microsoft rolled out two patches for vulnerabilities as part of its monthly Patch Tuesday effort, fixing six vulnerabilities in Microsoft Office, and a less significant but still dangerous flaw within Windows.
The patch dealing with the Office vulnerability contained fixes for five issues within Excel, including malformed range, file format parsing, description, graphic and record flaws. In each case, an attacker could take complete control of an affected system if the user was logged in as an administrator.
Microsoft also fixed a flaw that occurs when using a malformed routing slip within an Office document. Remote code execution as well as a complete system takeover would also be possible through this vulnerability.
In a twist from past Patch Tuesdays, this update additionally disclosed that users of Microsoft Office for Mac products were also at risk. All Windows Office versions from 2000 onward were vulnerable, Microsoft said.
Assistance in fixing the vulnerability came from a host of sources, including Symantec, FelicioX, NGS Software, TippingPoint and the Zero Day Initiative, the Fortinet Security Response Team, and the XFOCUS Security Team.
The Windows patch was for a vulnerability discovered by a pair of Princeton Researchers. In computers running either Windows Server 2003 without the service pack or Windows XP SP1, a privilege vulnerability flaw exists that would allow an attacker to easily find privilege escalation vulnerabilities in third-party applications.
Proof of concept code for this flaw was released publicly one month ago, and detailed how ACLs -- short for access control lists -- could be exploited. These tables of data tell the computer what rights a user has for each system object.
However, coding errors resulted in vulnerabilities that allow these lists to be bypassed by attackers.
More information on the vulnerabilities can be found at Microsoft TechNet. Users are recommended to upgrade their systems using Windows Update or the built-in Automatic Updates feature.