Menu
Microsoft patches a dozen bugs in Office

Microsoft patches a dozen bugs in Office

Fixes a 2-month-old Excel exploit, patches another URI protocol handler flaw

For Storms, MS08-015 was the second-most-important bulletin of the quartet. Affecting every supported version of Outlook -- and critical across the board, even on the newest edition, Outlook 2007 -- the bug is located in code that tells Microsoft's e-mail client how to handle the "mailto:" URI protocol handler.

URI (Uniform Resource Identifier) protocol handler bugs have plagued Microsoft's software, as well as that of other vendors, since last summer. Microsoft patched a general protocol handler flaw in Windows back in November, for example, but only after several months of sometimes contentious debate about who was responsible for the vulnerability.

It's likely, said nCircle's Storms, that the mailto: flaw in Outlook was actually discovered during the URI protocol handler dustup, and reported privately to Microsoft around then. "It makes sense that this was disclosed about the same time," said Storms. "Everybody was scrutinizing the URI issue, so the likelihood of someone finding it then was really high." Because the bug was reported directly to Microsoft and news of it didn't leak, Microsoft could take its time crafting a patch, Storms theorized. Microsoft credited Greg MacManus of iDefense Labs for reporting the vulnerability.

Unlike most Office-related vulnerabilities, however, the Outlook bug isn't in a file format, and doesn't require hackers to deliver rigged attachments. Instead, the bug can be triggered by simply clicking on a specially-crafted mailto: URI that would then take the victim to a malicious or hacked Web site.

The other two bulletins -- MS08-016 and MS08-017 -- fix a pair of parsing and memory corruption bugs in several versions of Office, and plug two holes in Office Web Components, controls that let users publish spreadsheets, charts and databases to the Web, then view that content once it's published.

What's interesting, Storms said, is that those vulnerabilities, as well at the other eight in the dozen patched today, can all be mitigated by doing what Microsoft and others constantly recommend: Run Windows as a local user, not with admin rights. "This might be the first month ever that running [as a local] user protects you from all the bugs," Storms said.

On the trend line, both Storms and Amol Sarwate, the manager of Qualys Inc.'s vulnerability lab, pointed to the emphasis on client applications, not the operating system, in today's updates. "The trend again is of vulnerabilities in client-side applications," said Sarwate, noting the shift toward exploiting flaws in commonly-used programs like Microsoft Office.

"If you look at these, there's a lot of copy and paste," said Storms, referring to the bulletins' descriptions and the other flavor of today's updates. "They're all [about] Office, they're all critical. That totally makes sense [and] may be a turning point for Microsoft. Maybe they're clearing out the last batch of vulnerabilities in Office. It's such a homogeneous bunch and so similar all down the line.

"Maybe they've finally gotten their act together," Storms concluded.

The four security updates can be downloaded and installed via the Microsoft Update and Windows Update services, as well as through Windows Server Update Services.


Follow Us

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Featured

Slideshows

The Kiwi channel gathers for the 2020 Reseller News Women in ICT Awards

The Kiwi channel gathers for the 2020 Reseller News Women in ICT Awards

Hundreds of leaders from the New Zealand IT industry gathered at the Hilton in Auckland on 17 November to celebrate the finest female talent in the Kiwi channel and recognise the winners of the Reseller News Women in ICT Awards (WIICTA) 2020.

The Kiwi channel gathers for the 2020 Reseller News Women in ICT Awards
Leading female front runners honoured at the 2020 Reseller News Women in ICT Awards

Leading female front runners honoured at the 2020 Reseller News Women in ICT Awards

The leading female front runners of the New Zealand ICT industry joined together for the annual Reseller News Women in ICT Awards event at the Hilton in Auckland, during which hundreds of guests celebrated 13 outstanding individuals who won awards, chosen from more than 50 finalists representing over 30 organisations.

Leading female front runners honoured at the 2020 Reseller News Women in ICT Awards
Channel gathers to celebrate the Reseller News Innovation Awards 2020 winners

Channel gathers to celebrate the Reseller News Innovation Awards 2020 winners

More than 500 channel leaders gathered in Auckland on 21 October at the ​Reseller News Innovation Awards ​2020 to celebrate the achievements of the New Zealand technology industry's top partners, start-ups, vendors, distributors and individuals.

Channel gathers to celebrate the Reseller News Innovation Awards 2020 winners
Show Comments