Microsoft released two security bulletins for its March update, rating one critical and the other important. In other news, a McAfee update goes awry, wiping out several applications, including Microsoft Excel.
This month's Patch Tuesday was a quiet one, with Microsoft releasing only two security bulletins. One is a critical threat that affects a variety of Microsoft Office applications, and the other is an important threat that shouldn't pose too much risk. Let's take a closer look.
Microsoft Security Bulletin MS06-012, "Vulnerabilities in Microsoft Office Could Allow Remote Code Execution," is a major remote code execution vulnerability that affects a wide variety of applications, including both Windows and Macintosh software. No exploits have appeared in the wild.
The security bulletin addresses a number of known as well as newly reported threats.
- Microsoft Office Excel Remote Code Execution Using a Malformed Range Vulnerability (CVE-2005-4131) (While this is a publicly disclosed exploit, there have been no reports of attacks and no proof of concept code seen.)
- Microsoft Office Excel Remote Code Execution Using a Malformed File Format Parsing Vulnerability (CVE-2006-0028)
- Microsoft Office Excel Remote Code Execution Using a Malformed Description Vulnerability (CVE-2006-0029)
- Microsoft Office Excel Remote Code Execution Using a Malformed Graphic Vulnerability (CVE-2006-0030) (While this is a publicly disclosed exploit, there have been no reports of attacks and no proof of concept code seen.)
- Microsoft Office Excel Remote Code Execution Using a Malformed Record Vulnerability (CVE-2006-0031)
- Microsoft Office Remote Code Execution Using a Malformed Routing Slip Vulnerability (CVE-2006-0009)
- Office 2000 Service Pack 3, including Word 2000, Excel 2000, Outlook 2000, PowerPoint 2000, and Office 2000 MultiLanguage Packs
- Office XP SP3, including Word 2002, Excel 2002, Outlook 2002, PowerPoint 2002, and Office XP Multilingual User Interface Packs
- Office 2003 SP1 and SP2, including Excel 2003 and Excel 2003 Viewer
- Microsoft Works Suite 2000, 2001, 2002, 2003, 2004, 2005, and 2006
- Excel X for Mac
- Excel 2004 for Mac
This update doesn't affect Excel 2000 Viewer, Excel 2002 Viewer, Word 2003, Outlook 2003, and PowerPoint 2003. Other than these few applications, however, you can assume that the update does affect every other currently used Office application. Check the bulletin closely for the applicable update.
All six vulnerabilities addressed by MS06-012 are remote code execution threats. Microsoft has rated them critical threats for Word 2000, Excel 2000, Outlook 2000, and Office 2000 MultiLanguage Packs. The Microsoft Office Remote Code Execution Using a Malformed Routing Slip Vulnerability is a critical threat for PowerPoint 2000.
These are important threats for all other affected programs.
Because this security bulletin addresses six separate vulnerabilities, there are various mitigating factors. Read the security bulletin for more details.
Install the update. Specific updates are available for the various affected applications, so check the security bulletin to determine what (if anything) you need to patch. Some of these patches are replacements for a number of earlier bulletins, including MS04-033, MS05-035, and MS06-003. The only workaround provided by Microsoft is to never open Office documents from untrusted sources.
Microsoft Security Bulletin MS06-011, "Permissive Windows Services DACLs Could Allow Elevation of Privilege," is a minor threat that only applies to some recent Windows versions. The single threat involved is Permissive Windows Service DACLs (CVE-2006-0023), which is a new, publicly disclosed threat.
- Windows XP SP1
- Windows Server 2003
- Windows Server 2003 for Itanium-based systems
This is an important threat for Windows XP SP1, but it doesn't apply to Windows XP SP2. It's a moderate threat for affected versions of Windows Server 2003, which doesn't include Windows Server 2003 SP1.
There is no threat to properly maintained operating systems that have current service packs installed. In addition, an attacker must also have valid logon credentials to take advantage of this exploit.
Install the update. Microsoft has provided some highly complex workarounds, so see the security bulletin for more details. Because of the low threat level, you should definitely read Microsoft Knowledge Base Article 914798 to learn about any problems the update is likely to cause.
Far more serious than MS06-011 is a recent glitch in McAfee's virus definition file. The company's March 10 virus database update selected Excel, Macromedia Flash, Google Toolbar, and Adobe Update Manager files for deletion. For a full list of the files McAfee deleted on affected systems by virus definition file 4715, check out this PDF.
First Symantec tried to kill Office; now McAfee updates have destroyed a lot of important applications—is it any wonder that I perform manual updates a few days after the release of the signatures and updates? So far, my firewalls and a few utilities have kept my system clean during the delays.
The Department of Homeland Security (DHS) recently received a grade for its computer security. The House Government Reform Committee gave the agency an F for the second year in a row, making it one of the worst government agencies. Personally, I'm disgusted. In fact, I resigned from my emergency management post several years ago when I saw how poorly DHS was doing.
Speaking of appalling news, the recent revelation about the child pornography on-demand ring, which Canadian authorities are still working to shut down, has horrified many of us. However, many news reports have left out Microsoft's involvement with the effort—providing funding and the specialized software that helped Canadian police organize the worldwide search and sting operation. I'm giving Microsoft a big thumbs-up on this one.
Miss a column?
Check out the IT Locksmith Archive, and catch up on the most recent editions of John McCormick's column.
Want to stay on top of the latest security updates? Automatically sign up for our free IT Locksmith newsletter, delivered each Tuesday!
John McCormick is a security consultant and well-known author in the field of IT, with more than 17,000 published articles. He has written the IT Locksmith column for TechRepublic for more than four years.