Microsoft on Tuesday released its monthly round of security patches, fixing a number of widely reported bugs in its Excel and Office products.
The July security updates include seven sets of patches. Four of the updates address bugs in the Windows operating system, while the other three fix problems in Office and Excel. More information on the updates can be found here: http://www.microsoft.com/technet/security/bulletin/ms06-jul.mspx.
All of the Office and Excel fixes, as well as two of the Windows updates, are rated as critical by Microsoft, meaning that an attacker could theoretically take advantage of the flaws to run unauthorized code on a victim's PC.
The two critical Windows updates are for users of the Windows Server 2003, Windows XP and Windows 2000 operating systems. They fix vulnerabilities in Windows' Server service and in its DHCP (Dynamic Host Configuration Protocol) Client service.
Security vendors warned that these Windows flaws, described in MS06-035 and MS06-036, could be used by hackers to create a self-replicating worm. Those are of particular concern to enterprises," said Jonathan Bitle, a product manager with Qualys. "They are both remote code execution vulnerabilities and, on top of that, they're both wormable vulnerabilities."
NCircle Network Security is particularly concerned with the bug in the Windows Server service, which is used in network tasks such as printing and file sharing. The Server service patch "addresses the first serious vulnerability in 2006 that has the potential to create a widespread worm," nCircle said in a statement.
Unpatched Windows 2000 systems may be vulnerable to such a worm, but it would be unlikely to affect Windows XP Service Pack 2 and Windows Server 2003 Service Pack 1 machines, because they turn off Windows Server services by default, said Christopher Budd, a security program manager with Microsoft's security response center. "The most likely thing that would happen would be a denial-of-service situation."
Furthermore, Windows Server is "based on the sever message block protocol," he added. "That's something that most enterprises will be blocking at the perimeter, as a best practice."
The Excel patches, which are described in the MS06-037 bulletin are considered to be critical for users of Microsoft's Excel 2000 spreadsheet, and are rated "important" for other Excel users, Microsoft said.
The two Office updates are considered critical for Office 2000 and Project 2000 users.
Over the past month Microsoft has investigated a number of issues related to Excel and Office, following reports that hackers had launched a targeted attack against an unnamed government contractor, taking advantage of a bug in its Excel spreadsheet software.
Microsoft has not patched all the bugs related to Excel. A bug in certain Asian-language versions of Excel, disclosed late last week, has not been fixed. More information on this bug can be found here: http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-3431
A second vulnerability, which was demonstrated within an Excel spreadsheet last June, also remains unpatched. This vulnerability stems from a flaw in one of Microsoft's dynamic link libraries, which are used by applications such as Excel. More information on it can be found here: http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-3086
"They came in too late in the engineering process for us to include and still make sure we didn't jeopardize the existing release addressing other issues," said Stephen Toulouse, a security program manager with Microsoft's security response center, writing in an e-mail message.
The seven patches will keep administrators busy, although not so busy as in June. Last month, Microsoft released 12 security updates.