[ insider_reports_insider ]
Microsoft Patches Lack Word Fixes
David Utter
Staff Writer
2007-01-11
 Insider Reports RSS Feed
A trio of zero-day exploits for Word emerged in December around the time of Microsoft's last patch release. Their most recent updates for January contained four fixes, but none for Word.
 | | Microsoft Patches Lack Word Fixes |  |
Microsoft delivered its quartet of updates for January 2007. Three critical issues and one important issue received the tender ministrations only an infusion of Microsoft's security engineering can provide.
What they didn't do gives those of us who keep an eye on these sorts of pesky security issues some cause for concern. Even if you're running OpenOffice and enjoying the casual disregard you can have personally for the Microsoft Office threat du jour, you may be the one who an office full of Word users depends on to keep them safe from exploits.
If that is the case, Microsoft has left you in an alley in Cold War-era East Germany, with the secret police running around the streets with guns drawn looking for you. While Microsoft patched Excel, Outlook, and Internet Explorer, along with a fix for Office 2003's Brazilian Portuguese spell checker, no Word fixes made the release.
Also, users of Software Update Services (SUS) 1.0 did not receive updates on Tuesday. Christopher Budd noted SUS 1.0 customers were delayed. Microsoft has been urging those customers to upgrade to Windows Server Update Services.
WSUS customers were updated on Tuesday in a timely fashion. Here's a look at what Microsoft fixed in its first four security bulletins for 2007.
The Excel fix sealed up five vulnerabilities. All of them could have led to remote code execution if exploited. Excel 2000 was particularly susceptible to each of the threats.
Two of Outlook's three vulnerabilities posed remote code execution problems before being corrected. The third could have been exploited to force a denial of service condition, crashing Outlook on a system.
A VML problem in Internet Explorer could have led to a buffer overflow in the browser. A malicious web page set up to take advantage of this issue would have led to remote code execution on the victim's PC.
User interaction would be required for the Office problem with the spell checker to permit remote code execution. The update is only needed for systems that have a Brazilian Portuguese or Spanish language version of one of the affected products listed in the bulletin.
All three Word problems as listed on the eEye Zero-Day tracking website have passed 30 days of life. They all appear to pose remote code execution threats to Word, and in some cases affect Word on the Mac as well as Windows platforms.
---
Tag: Microsoft
Add to  Del.icio.us |  Digg |  Reddit |  Furl
Get all the SecurityProNews updates: 
About the Author:
David Utter is a business and technology writer for SecurityProNews and WebProNews.
More insider_reports_insider Articles
Insider Reports RSS Feed
|
|
iEntry 10th Anniversary
RSS
Archive
