Archive for March, 2008

Reflections on March 2008 Patch Day

It’s an all Office patch day today. More to the point, an all Excel day. Nine of the twelve vulnerabilities addressed this month relate to Microsoft Excel. The twelve vulnerabilities were encapsulated in 4 security bulletins – each one patching an Office related client side vulnerability. Order of importance to patch for the month: MS08-015, MS08-014, MS08-016, MS08-017.

Seven different ways to hack a user with an Excel file. This is the long awaited patch for the Excel zero day issue first reported in mid-January 2008. Angst-ridden computer users can now sleep easy knowing that they can now open malicious Excel documents without fear of being hacked. One of the exploit vectors was publicly known (Macro validation vulnerability) and is being actively exploited. The other 6 attack vectors were identified and reported to Microsoft via private parties (or pay for exploit companies). This is Critical on Office 2000, and Important on Office XP and Office 2003 (because Office 2000 systems may automatically launch the evil document the moment you visit the evil website – you’re not given any heads up that the file will be opened. In later Office versions, it will prompt if you want to open or save the document.) Patch this one ASAP if you visit illicit websites or open malformed Excel documents on a regular basis.

Outlook URI handling flaw This one is much more interesting and is more likely to be exploited. In this scenario, an attacker can create a web page with a link to ‘click here to email me’, or simply an email address with a hyperlink (as is found on many websites.) Clicking on the email link can allow the attacker to run code on your system, assuming that you have Microsoft Outlook on your system (and set as your default mail program). There would be very little way to know ahead of time whether or not the mail link was evil. I expect we’ll see exploit code for this very shortly and we’ll see malware authors begin to leverage this right away. I’d patch this one before patching 08-014. (it’s not being publicly exploited, but it’s only a matter of time)

Another Excel bug, plus an Office bug Typical client side vulnerability. View a malicious Excel document or open a malicious Office document (excel or otherwise) and the attacker can run code on your system. Technically different than the earlier excel issue, but the same cause and effect. This is worse on Office 2000 systems and not quite as bad on Office XP and Office 2003 – due to the auto-opening of Office 2000 documents when you visit a website that links to this document. This is not being publicly exploited.

Bug in Office Web Components ActiveX controls This is a flaw in an ActiveX control that helps display spreadsheets via a web browser. This can be exploited on systems that run Microsoft Office Web Components 2000 – namely: Office 2000, Office XP, Visual Studio .NET 2002 and 2003, BizTalk Server 2000 and 2002, Commerce Server 2000, and ISA Server 2000. If you view an evil website from a machine with any of these products installed, the attacker can run code on your system. This patch adds a ‘killbit’ for the vulnerable controls so that the flawed ActiveX object won’t be launched from the browser and includes an updated version of the ActiveX control. This is not being publicly exploited.


Leave a comment »