Login:
Password:
Lost Password?
Print this article  |  E-mail this article  |  Comment on this article

Microsoft Patches Multiple Excel Flaws

By Ed Oswald, BetaNews

March 14, 2006, 4:57 PM

Microsoft rolled out two patches for vulnerabilities as part of its monthly Patch Tuesday effort, fixing six vulnerabilities in Microsoft Office, and a less significant but still dangerous flaw within Windows.

The patch dealing with the Office vulnerability contained fixes for five issues within Excel, including malformed range, file format parsing, description, graphic and record flaws. In each case, an attacker could take complete control of an affected system if the user was logged in as an administrator.

Microsoft also fixed a flaw that occurs when using a malformed routing slip within an Office document. Remote code execution as well as a complete system takeover would also be possible through this vulnerability.

In a twist from past Patch Tuesdays, this update additionally disclosed that users of Microsoft Office for Mac products were also at risk. All Windows Office versions from 2000 onward were vulnerable, Microsoft said.

Assistance in fixing the vulnerability came from a host of sources, including Symantec, FelicioX, NGS Software, TippingPoint and the Zero Day Initiative, the Fortinet Security Response Team, and the XFOCUS Security Team.

The Windows patch was for a vulnerability discovered by a pair of Princeton Researchers. In computers running either Windows Server 2003 without the service pack or Windows XP SP1, a privilege vulnerability flaw exists that would allow an attacker to easily find privilege escalation vulnerabilities in third-party applications.

Proof of concept code for this flaw was released publicly one month ago, and detailed how ACLs -- short for access control lists -- could be exploited. These tables of data tell the computer what rights a user has for each system object.

However, coding errors resulted in vulnerabilities that allow these lists to be bypassed by attackers.

More information on the vulnerabilities can be found at Microsoft TechNet. Users are recommended to upgrade their systems using Windows Update or the built-in Automatic Updates feature.

Add a Comment (8 Comments)

BetaNews reserves the right to remove any comment at any time for any reason. Please keep your responses appropriate and on topic. Foul language and personal attacks will not be tolerated.

Name (required):

E-mail (required):

Enter Your Comment:

By mjm01010101

posted Mar 15, 2006 - 2:56 AM

Synced WSUS today at 1 p.m., tested about 10 machines, no reboots on any of them, good to approve for the rest.

Score: 0

By WhistlerXP

posted Mar 14, 2006 - 8:01 PM

Will wait for my master, Windows Update, to alert me to the patches. I don't install any patches until Windows Update tells me to do so.

Score: 0

By asellus

posted Mar 15, 2006 - 12:53 AM

If you have Windows SP2 and doesn't have Microsoft Office, there will be no patch to install.

Score: 0

By Adrian79

posted Mar 15, 2006 - 1:47 AM

i have Office 12 beta....still no patch today

Score: 0

By The MAZZTer

posted Mar 14, 2006 - 8:37 PM

Then you will be vulnerable until that time. :)

Don't worry... I don't see any updates released today except for the Malicious Software Removal Tool.

Score: 0

By Das mod

edited Mar 14, 2006 - 6:02 PM

MS should only release flaws ....
and an ocassional patch in case you need to work in the actual software ....
something like
Microsoft Flaw 2003
Microsoft Patches 2003
part of the Microsoft Vulnerability Suite 2003

.........

Score: 0

By itanshi

posted Mar 14, 2006 - 7:48 PM

has a nice ring to it ^^

Score: 0

By irdepesca572

posted Mar 14, 2006 - 5:47 PM

Almost forgot. Thanks for the reminder!

Score: 0

Nov 21 - 9:29 PM ET Hurd's the word in Ballmer's e-mail nightmares

Nov 21 - 6:51 PM ET Coalition urges better laws for e-mail and cell phone privacy

Nov 21 - 6:42 PM ET How is Internet advertising faring in this bad economy?

Nov 21 - 6:15 PM ET From out of the Amazon Cloud, an AWS winner emerges

Nov 21 - 5:20 PM ET Mufin music finder enters public beta, adds widgets

Nov 21 - 5:01 PM ET Google launches its SearchWiki semantics plug-in

Nov 21 - 4:57 PM ET Asus previews a slimmer, less costly Eee PC

Nov 21 - 4:32 PM ET New Adobe Media Player ushers in AIR 1.5

Nov 21 - 2:11 PM ET AT&T to add Pantech's low-cost C630 phone to 3G lineup

Nov 21 - 1:11 PM ET iPhone gets firmware 2.2 update