Excel Focus of July Patch Tuesday
Microsoft released a bevy of critical updates Tuesday, with a focus on the multitude of Excel vulnerabilities that have sprung up over recent months.
Eight different flaws within the popular spreadsheet program were fixed in a single update, along with two critical flaws in Windows, two other critical issues affecting Office and other Microsoft programs, and "important" issues with the .NET Framework and IIS.
The Excel update includes fixes for various issues with malformed records and values, the most serious of which could open up a user's machine to a remote code execution risk. The patch also replaces a previous one issued in March to correct other issues within Excel.
The fix also closes holes that attackers exploited in zero-day attacks that cropped up in the middle of last month.
In addition to the Excel patch, Microsoft fixed two other vulnerabilities in Office. One deals with a parsing flaw that could lead to remote code execution and a system takeover risk. A similar risk exists for another patched flaw, this time dealing with issues in how Office handles malformed PNG and GIF files.
In Windows, Microsoft has patched two problems with the Server and DHCP services. In Server services, a vulnerability exists in the driver, which could open a system up to a takeover risk, and a information disclosure risk exists that could allow an attacker to view to view fragments of memory used to store SMB traffic during transport.
In DHCP services, a buffer overrun flaw could allow for remote code execution and system takeover, Microsoft says.
In addition to the critical updates, the Redmond company also released two patches rated "important," which mainly affect those running Web sites on the Windows platform. A hole in ASP.NET security has been filled, which exposes information that could assist in future attacks.
"Note that this vulnerability would not allow an attacker to execute code or to elevate their user rights directly, but it could be used to produce useful information that could be used to try to further compromise the affected system," Microsoft said.
Another patch resolves an issue where a specially crafted ASP file could exploit a flaw within IIS. The problem results from an "unchecked buffer."
Users can download all seven security bulletins immediately through Automatic Updates, or Microsoft's various other update services.