Reseller News

Microsoft patches a dozen bugs in Office

Fixes a 2-month-old Excel exploit, patches another URI protocol handler flaw

Microsoft issued four critical updates Tuesday that quashed 12 bugs in Office, the company's business suite, including a flaw in Excel that has been exploited by attackers for more than two months.

Tuesday's tally was a dramatic decrease from February's, when Microsoft unveiled 11 security bulletins and plugged 17 holes. Of the dozen vulnerabilities disclosed today, however, 11 were ranked "critical," Microsoft's highest rating in its four-step threat-scoring system. That was more than double the number of critical bugs crushed last month. The twelfth vulnerability of today was pegged as "important," the second-highest rating.

There's no question that MS08-014, the bulletin that fixes seven flaws in Microsoft Excel, is the one to work first, said Andrew Storms, director of security operations at nCircle Network Security Inc. "[MS08-]014 is definitely the most important of today's bulletins. It covers so many vulnerabilities and at least one was already known and was being exploited."

The sheer number of bugs quashed by the Excel update and the number of researchers Microsoft credited led Storms to some speculation. "The number of acknowledgments tells me that the exploit was more widely used, and the fix for [it and the others] more detailed than we'd been led to believe. That's probably why it took them the two months to come up with a fix."

Microsoft tipped its hat to eight different security researchers from VeriSign, iDefense Labs, Fortinet, TippingPoint, Websense and other vendors in the description of the Excel patches. Two, Mike Scott of SAIC and Matt Richard of VeriSign, were credited with notifying Microsoft of the currently-exploited bug.

That vulnerability, said Microsoft, was in the code that handled macros within spreadsheets. Exploits have circulated for two months minimum, with a spike spotted just yesterday by several security organizations, including Symantec and US-CERT.

In mid-January, Microsoft issued a security advisory that noted targeted attacks had been discovered exploiting a then-unknown Excel bug. At the time, Microsoft offered several workarounds, including one that recommended Office 2003 users run suspect Excel worksheets through MOICE (Microsoft Office Isolated Conversion Environment), a free conversion tool released last year that converts Office 2003 formatted files into the more secure Office 2007 formats.

Yesterday, both the SANS Institute's Internet Storm Center (ISC) and Homeland Security's US-CERT warned of new attacks using the Excel bug; earlier today, Symantec weighed in, too.

"The incidents...have been limited to a very specific targeted attack and were not widespread," said ISC analyst Maarten Van Horenbeeck Monday in a note posted on the group's site. "We [counted] approximately 21 reports of attacks using only 8 different files, from within the same two communities, so far."

But Storms thought the recent uptick was probably just a coincidence. "It may have been [attackers] using the exploit one last time before Microsoft patched it, but then again, the vulnerability has been out there for months." The increase might have been caused by other hackers joining the fray, he said. "Once an exploit it being used, it only takes time before someone captures and retools it," Storms noted. The bump in discovered attacks could have come from those second-tier hackers.

Page Break

For Storms, MS08-015 was the second-most-important bulletin of the quartet. Affecting every supported version of Outlook -- and critical across the board, even on the newest edition, Outlook 2007 -- the bug is located in code that tells Microsoft's e-mail client how to handle the "mailto:" URI protocol handler.

URI (Uniform Resource Identifier) protocol handler bugs have plagued Microsoft's software, as well as that of other vendors, since last summer. Microsoft patched a general protocol handler flaw in Windows back in November, for example, but only after several months of sometimes contentious debate about who was responsible for the vulnerability.

It's likely, said nCircle's Storms, that the mailto: flaw in Outlook was actually discovered during the URI protocol handler dustup, and reported privately to Microsoft around then. "It makes sense that this was disclosed about the same time," said Storms. "Everybody was scrutinizing the URI issue, so the likelihood of someone finding it then was really high." Because the bug was reported directly to Microsoft and news of it didn't leak, Microsoft could take its time crafting a patch, Storms theorized. Microsoft credited Greg MacManus of iDefense Labs for reporting the vulnerability.

Unlike most Office-related vulnerabilities, however, the Outlook bug isn't in a file format, and doesn't require hackers to deliver rigged attachments. Instead, the bug can be triggered by simply clicking on a specially-crafted mailto: URI that would then take the victim to a malicious or hacked Web site.

The other two bulletins -- MS08-016 and MS08-017 -- fix a pair of parsing and memory corruption bugs in several versions of Office, and plug two holes in Office Web Components, controls that let users publish spreadsheets, charts and databases to the Web, then view that content once it's published.

What's interesting, Storms said, is that those vulnerabilities, as well at the other eight in the dozen patched today, can all be mitigated by doing what Microsoft and others constantly recommend: Run Windows as a local user, not with admin rights. "This might be the first month ever that running [as a local] user protects you from all the bugs," Storms said.

On the trend line, both Storms and Amol Sarwate, the manager of Qualys Inc.'s vulnerability lab, pointed to the emphasis on client applications, not the operating system, in today's updates. "The trend again is of vulnerabilities in client-side applications," said Sarwate, noting the shift toward exploiting flaws in commonly-used programs like Microsoft Office.

"If you look at these, there's a lot of copy and paste," said Storms, referring to the bulletins' descriptions and the other flavor of today's updates. "They're all [about] Office, they're all critical. That totally makes sense [and] may be a turning point for Microsoft. Maybe they're clearing out the last batch of vulnerabilities in Office. It's such a homogeneous bunch and so similar all down the line.

"Maybe they've finally gotten their act together," Storms concluded.

The four security updates can be downloaded and installed via the Microsoft Update and Windows Update services, as well as through Windows Server Update Services.