Microsoft patches Excel security hole

Following a heavy patch month in February, Microsoft announced a lighter load of security bulletins for its users, but security experts say the potential impact is considerable if vulnerabilities aren't addressed.

"Even though it is a slower month, it is still important to remember that these bulletins should be researched because next time it could be highly publicized vulnerabilities with IE," says Jason Miller, data and security team leader at Shavlik Technologies.

Microsoft released two security bulletins to address eight vulnerabilities in Windows and Microsoft Office, one specifically that impacts Excel, which security experts say could affect many businesses considering how frequently the application is used. The bulletins will impact fewer machines, almost avoiding all servers unless SharePoint Server 2007 is installed, because they affect client Windows operating systems and Microsoft Office. Yet with Excel being commonplace in most companies, systems will need to be addressed.

"MS10-017 should be addressed first on your network," Miller says. "Microsoft Excel is big in business and most people are going to want to take a look at this. If you download this or get it through an email, it could cause remote code execution, meaning an attacker would be able to take control of your system."

According to Paul Henry, security and forensic analyst for Lumension, MS10-017 resolves "seven privately reported vulnerabilities in Microsoft Office Excel." Henry adds that an experienced hacker could gain the same rights as the local user, but "users whose accounts are configured to have fewer user rights on the system could be less impacted than users who are operating with administrative user rights."

The second bulletin, MS10-016, involves Microsoft Producer 2003, which is not as commonly used as Excel. The vulnerability could also enable remote code execution, but it should be noted, Miller says, that Microsoft is not providing a patch for this vulnerability and is instead recommending the component be uninstalled.

"Microsoft not providing patches for known software vulnerabilities has become more common over the patch 12 months. This is a great example of why administrators should take time each month and research the information associated with each bulletin. Simply blindly pushing out patches does not necessarily make your network secure," Miller says.

For instance, Microsoft also issued Security Advisory 981374, which affects Internet Explorer 6 and IE 7. Microsoft is continuing to investigate the "targeted attacks seeking to exploit this vulnerability," but the company did not issue a patch yet. Because IE 8 is not impacted, Microsoft recommends users upgrade to IE 8, even as the company begins to share details around IE 9.  

"We will continue to monitor the situation and take the appropriate action to protect our customers, which may include providing a solution through our monthly security update release process, or an out-of-band security update, depending on customer needs," according to Microsoft. "In the interim, it is recommended that customers using Internet Explorer 6 or 7, upgrade to Internet Explorer 8 immediately to benefit from the improved security features and defense in-depth protections"