Patch/Configuration Management, Vulnerability Management

Pre-Patch Tuesday flaws reported in Microsoft Excel, Internet Explorer 6

Security experts today reported two vulnerabilities affecting Microsoft products - one of which likely will not be patched until next month's security update.

Researcher Adrien de Beaupre of the SANS Internet Storm Center said early today that proof-of-concept code is available targeting Internet Explorer 6 (IE) that could lead to a DoS attack.

But a Microsoft spokesman told SCMagazine.com today that the issue actually affects XML (extensible markup language), not IE.

"Microsoft is not currently aware of any active attacks utilizing this exploit code or of customer impact at this time," he said. "Microsoft is actively monitoring this situation to keep customers informed and to provide customer guiance as necessary."

The issue was not addressed by this afternoon's patch release, which issued four fixes correcting 10 vulnerabilities.

Meanwhile, vulnerability tracking firm Secunia this morning said a "highly critical" hole in Microsoft Excel could be "exploited by malicious people to compromise a user's system." The flaw is caused by an error when opening XLS files that enables an attacker to execute arbitrary code. Jie Ma of Fortinet's security research team discovered the vulnerability.

That flaw, in fact, was repaired with today's security update, namely bulletin MS07-002, although the hole has not impacted any customers, the spokesman said.

Click here to email reporter Dan Kaplan.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.