Get the details on Microsoft's security bulletins for March

March's Patch Tuesday was a quiet one, with Microsoft releasing only two security bulletins. One is a critical threat that affects a variety of Microsoft Office applications, and the other is an important threat that shouldn't pose too much risk. John McCormick has the details in this edition of the IT Locksmith.

Microsoft released two security bulletins for its March
update, rating one critical and the other important. In other news, a McAfee
update goes awry, wiping out several applications, including Microsoft Excel.

Details

This month’s Patch Tuesday was a quiet one, with Microsoft
releasing only two security bulletins. One is a critical threat that affects a
variety of Microsoft Office applications, and the other is an important threat that
shouldn’t pose too much risk. Let’s take a closer look.

MS06-012

Microsoft
Security Bulletin MS06-012, “Vulnerabilities in Microsoft Office Could
Allow Remote Code Execution,” is a major remote code execution
vulnerability that affects a wide variety of applications, including both
Windows and Macintosh software. No exploits have appeared in the wild.

The security bulletin addresses a number of known as well as
newly reported threats.

Microsoft
Office Excel Remote Code Execution Using a Malformed Range Vulnerability (CVE-2005-4131)
(While this is a publicly disclosed exploit, there have been no reports of
attacks and no proof of concept code seen.)
Microsoft
Office Excel Remote Code Execution Using a Malformed File Format Parsing
Vulnerability (CVE-2006-0028)
Microsoft
Office Excel Remote Code Execution Using a Malformed Description
Vulnerability (CVE-2006-0029)
Microsoft
Office Excel Remote Code Execution Using a Malformed Graphic Vulnerability
(CVE-2006-0030)
(While this is a publicly disclosed exploit, there have been no reports of
attacks and no proof of concept code seen.)
Microsoft
Office Excel Remote Code Execution Using a Malformed Record Vulnerability (CVE-2006-0031)
Microsoft
Office Remote Code Execution Using a Malformed Routing Slip Vulnerability (CVE-2006-0009)

Applicability

Office
2000 Service Pack 3, including Word 2000, Excel 2000, Outlook 2000,
PowerPoint 2000, and Office 2000 MultiLanguage Packs
Office
XP SP3, including Word 2002, Excel 2002, Outlook 2002, PowerPoint 2002, and
Office XP Multilingual User Interface Packs
Office
2003 SP1 and SP2, including Excel 2003 and Excel 2003 Viewer
Microsoft
Works Suite 2000, 2001, 2002, 2003, 2004, 2005, and 2006
Excel
X for Mac
Excel
2004 for Mac

This update doesn’t affect Excel 2000 Viewer, Excel 2002
Viewer, Word 2003, Outlook 2003, and PowerPoint 2003. Other than these few
applications, however, you can assume that the update does affect every other
currently used Office application. Check the bulletin closely for the applicable
update.

Risk level
All six vulnerabilities addressed by MS06-012 are remote code execution threats.
Microsoft has rated them critical threats for Word 2000, Excel 2000, Outlook
2000, and Office 2000 MultiLanguage Packs. The Microsoft Office Remote Code
Execution Using a Malformed Routing Slip Vulnerability is a critical threat for
PowerPoint 2000.

These are important threats for all other affected programs.

Mitigating factors
Because this security bulletin addresses six separate vulnerabilities, there
are various mitigating factors. Read the security bulletin for more details.

Fix
Install the update. Specific updates are available for the various affected
applications, so check the security bulletin to determine what (if anything)
you need to patch. Some of these patches are replacements for a number of
earlier bulletins, including MS04-033,
MS05-035,
and MS06-003.
The only workaround provided by Microsoft is to never open Office documents
from untrusted sources.

MS06-011

Microsoft
Security Bulletin MS06-011, “Permissive Windows Services DACLs Could
Allow Elevation of Privilege,” is a minor threat that only applies to some
recent Windows versions. The single threat involved is Permissive Windows
Service DACLs (CVE-2006-0023),
which is a new, publicly disclosed threat.

Applicability

Windows
XP SP1
Windows
Server 2003
Windows
Server 2003 for Itanium-based systems

Risk level
This is an important threat for Windows XP SP1, but it doesn’t apply to Windows
XP SP2. It’s a moderate threat for affected versions of Windows Server 2003,
which doesn’t include Windows Server 2003 SP1.

Mitigating factors
There is no threat to properly maintained operating systems that have current service
packs installed. In addition, an attacker must also have valid logon
credentials to take advantage of this exploit.

Fix
Install the update. Microsoft has provided some highly complex workarounds, so
see the security bulletin for more details. Because of the low threat level,
you should definitely read Microsoft Knowledge Base Article 914798 to learn about any
problems the update is likely to cause.

Other threats

Far more serious than MS06-011 is a recent glitch in
McAfee’s virus definition file. The company’s March 10 virus database
update selected Excel, Macromedia Flash, Google Toolbar, and Adobe Update
Manager files for deletion. For a full list of the files McAfee deleted on
affected systems by virus definition file 4715, check out this PDF.

Final word

First Symantec tried to kill Office; now McAfee updates have
destroyed a lot of important applications—is it any wonder that I perform
manual updates a few days after the release of the signatures and updates? So
far, my firewalls and a few utilities have kept my system clean during the
delays.

The Department of Homeland Security (DHS) recently received
a grade for its computer security. The House Government Reform Committee gave the agency an F for the second year in a row,
making it one of the worst government agencies. Personally, I’m disgusted. In
fact, I resigned from my emergency management post several years ago when I saw
how poorly DHS was doing.

Speaking of appalling news, the recent revelation about the
child pornography on-demand ring, which Canadian authorities are still working
to shut down, has horrified many of us. However, many news reports have left
out Microsoft’s involvement with the effort—providing funding and the specialized software that helped
Canadian police organize the worldwide search and sting operation. I’m
giving Microsoft a big thumbs-up on this one.

Miss a column?

Check out the IT Locksmith Archive,
and catch up on the most recent editions of John McCormick’s column.

Want to stay on top of
the latest security updates? Automatically
sign up for our free IT Locksmith newsletter, delivered each Tuesday!

John McCormick is a
security consultant and well-known author in the field of IT, with more than
17,000 published articles. He has written the IT Locksmith column for
TechRepublic for more than four years.

TechRepublic Premium editorial calendar: IT policies, checklists, toolkits and research for download

TechRepublic Premium content helps you solve your toughest IT issues and jump-start your career or next project.

Payroll

The Best Human Resources Payroll Software of 2023

With a lot of choices in the market, we have highlighted the top six HR and payroll software options for 2023.

A computer running Windows 11. — Image: Microsoft.

Software

Windows 11 update brings Bing Chat into the taskbar

Microsoft's latest Windows 11 allows enterprises to control some of these new features, which also include Notepad, iPhone and Android news.

A software engineer works from home. — Image: tanatat/Adobe Stock

CXO

Tech jobs: No rush back to the office for software developers as salaries reach $180,000

Salaries for remote roles in software development were higher than location-bound jobs in 2022, Hired finds.

Project management process to manage and develop with resources to deliver quality product, agile development cycle, businessman project manager balance on clock juggling project management elements. — Image: Nuthawut/Adobe Stock

Software

The 10 best agile project management software for 2023

With so many agile project management software tools available, it can be overwhelming to find the best fit for you. We've compiled a list of 10 tools you can use to take advantage of agile within your organization.

A user typing a password. — Image: Song_about_summer/Adobe Stock

Security

1Password is looking to a password-free future. Here’s why

With phishing-based credentials theft on the rise, 1Password CPO Steve Won explains why the endgame is to 'eliminate’ passwords entirely.

PURPOSE A large segment of internal and external modern business now takes place on computers, tablets and other mobile devices. The information technology infrastructure that has sprung up around that business can be daunting in its scope. This Hiring Kit from TechRepublic Premium provides an adjustable framework your business can use to find, recruit and ...

PURPOSE This grant writing guide from TechRepublic Premium will help you identify a grant that fits your idea, build a team to help you compile a proposal, and set a timeline to meet the application deadline. From the guide: BEFORE YOU START This list of steps will help the grant writing process go more smoothly. ...

Get the details on Microsoft’s security bulletins for March