|
| Top
Security News |
Windows Getting Critical Fix Next Week
Only a few fixes have been planned for January's 'Patch Tuesday' from Microsoft, with Windows scheduled to receive an update to a critical issue .Along with the Windows patch, a trio of Office updates have been announced ahead of the January 9th...
Online Theft Snared 401k Account
Although the story of one man's lost of $179,000 from a retirement account appears to be headed for a happy ending, the article leaves out some crucial information. Down in the comments about Dave DeSmidt's victimization by an unknown criminal...
QuickTime Issues Still Plague Websites
Similar to the issue that allowed the MySpace worm to parade through the popular social networking site, another flaw in Apple's QuickTime can be exploited. Windows and Mac users are vulnerable to a pair of security issues with QuickTime. Any website...
Data Thieves Drop In On Your Phone
Spyware geared toward stealing data from a mobile device has been spotted accompanying phone-infecting viruses; this early effort probably signals more sophisticated attacks are in the offing. Cellular service providers and major Internet players...
Keeping An 'eEye' On Zero-Day Exploits
Marc Maiffret's eEye security firm has launched the Zero-Day Tracker, a website where the company will post and archive information on vulnerabilities hit by zero-day exploits. When a patch emerges from a prominent software company like Microsoft or Oracle...
|
|
|
|
A trio of zero-day exploits for Word emerged in December around the time of Microsoft's last patch release. Their most recent updates for January contained four fixes, but none for Word.
Microsoft delivered its quartet of updates for January 2007. Three critical issues and one important issue received the tender ministrations only an infusion of Microsoft's security engineering can provide.
What they didn't do gives those of us who keep an eye on these sorts of pesky security issues some cause for concern. Even if you're running OpenOffice and enjoying the casual disregard you can have personally for the Microsoft Office threat du jour, you may be the one who an office full of Word users depends on to keep them safe from exploits.
If that is the case, Microsoft has left you in an alley in Cold War-era East Germany, with the secret police running around the streets with guns drawn looking for you. While Microsoft patched Excel, Outlook, and Internet Explorer, along with a fix for Office 2003's Brazilian Portuguese spell checker, no Word fixes made the release.
Also, users of Software Update Services (SUS) 1.0 did not receive updates on Tuesday. Christopher Budd noted SUS 1.0 customers were delayed. Microsoft has been urging those customers to upgrade to Windows Server Update Services.
WSUS customers were updated on Tuesday in a timely fashion. Here's a look at what Microsoft fixed in its first four security bulletins for 2007.
The Excel fix sealed up five vulnerabilities. All of them could have led to remote code execution if exploited.
Excel 2000 was particularly susceptible to each of the threats.
Two of Outlook's three vulnerabilities posed remote code execution problems before being corrected. The third could have been exploited to force a denial of service condition, crashing Outlook on a system.
A VML problem in Internet Explorer could have led to a buffer overflow in the browser. A malicious web page set up to take advantage of this issue would have led to remote code execution on the victim's PC.
User interaction would be required for the Office problem with the spell checker to permit remote code execution. The update is only needed for systems that have a Brazilian Portuguese or Spanish language version of one of the affected products listed in the bulletin.
All three Word problems as listed on the eEye Zero-Day tracking website have passed 30 days of life. They all appear to pose remote code execution threats to Word, and in some cases affect Word on the Mac as well as Windows platforms.
About
the Author:
David Utter is a technology writer for SecurityProNews, WebProNews, and InternetFinancialNews.
|
|
,
Inc. 2549 Richmond Rd. Lexington KY, 40509
