Critical’ Excel Hole Fixed on Patch Tuesday

Microsoft made good in its plans to take care of a persistent vulnerability in Excel, fixing the problem in today’s Patch Tuesday updates as well as four other “critical”-rated issues in versions of Windows and Internet Explorer.

A Microsoft spokesperson confirmed to that the Patch Tuesday updates block the Excel vulnerability, a zero-day flaw (define) that surfaced in late February. While limited attacks had already surfaced on the Web, Microsoft (NASDAQ: MSFT) first acknowledged the problem in a
security advisory
in early March.

The flaws left users at risk for complete compromise of their systems if they open or save a poisoned Excel file.

However, the two issues fixed by the patch are only classified as “critical” — the company’s maximum severity rating — for Excel 2000 Service Pack 3 (SP3). For later versions, the flaws are rated “important” — Microsoft’s second-highest severity rating. Excel 2007 is not affected.

Today’s patch also fixes a second critical glitch that was not a zero-day flaw, Microsoft said.

IE, Windows patches

Patch Tuesday also ushered in a handful of patches for other key products.

An Internet Explorer (IE) patch fixes a total of four critical holes in versions ranging from IE 5.01 up through Vista Service Pack 1.

All four of the holes are related to how IE manages memory, and a successful exploit causes a so-called “memory overflow” error, which knocks the browser off its tracks and lets an attack program run its own code.

To get infected, all the user would have to do is visit a page with a booby-trapped file or click on a malicious link in an e-mail or instant message. Breaching a user’s system using any of the vulnerabilities could result in complete compromise of the PC, Microsoft said.

One lucky note: IE 8, which shipped in mid-March, is immune to attacks based on those flaws.

As usual, the IE patch comes as a “cumulative update,” which means that it includes every previous fix. That also lets users who’ve skipped a few Patch Tuesday updates get caught up with a single installment.

Windows also received a number of patches. Microsoft fixed one critical issue in how Windows processes Hypertext Transfer Protocol, or HTTP (define) — the main protocol that browsers use to communicate with Web servers. It affects Windows 2000 SP4 (the latest version) up through Windows Vista SP1 and Windows Server 2008.

Another patch fixes two critical security flaws in Windows’ WordPad notetaking program. However, the flaws are only rated critical for Office 2000 SP3.

Users with automatic updates enabled will have the patches installed automatically. Further information is available at Microsoft’s TechNet Security site.

Article courtesy of

Stuart J. Johnston
Stuart J. Johnston is an eSecurity Planet and Serverwatch contributor.

Top Products

Related articles