Microsoft released two security bulletins today through March’s Patch Tuesday release, including a fix for several Office vulnerabilities that are considered critical.
The bulletin regarding Office outlined vulnerabilities that include a hole in Excel that can be exploited via a malicious document delivered through websites or e-mail attachments. A successful attacker can gain remote code execution and complete system compromise through this vulnerability.
Additionally, the Office security bulletin also speaks to a weakness in how program applications manage metadata of routing slips, which support collaborative document sharing. This flaw also allows malicious documents to be delivered by e-mail or through websites with resulting remote code execution and total system compromise.
"Attackers require some victim cooperation to exploit either of these vulnerabilities" said Oliver Friedrichs, director, Symantec Security Response. "Symantec advises all Microsoft Office users to avoid opening Office documents that come from unknown sources."
Symantec was one of the key players that helped Microsoft identify the routing slip vulnerability. The Excel weakness was fairly well-known through the community, with Microsoft receiving reports from TippingPoint, NGS Software, Fortinet and XFOCUS of this exposure.
The second security bulletin covered a gap in Windows that leaves systems open to unauthorized priveledge elevation. Considered "important," this bulletin explained that Windows XP Service Pack 1 and Windows Server 2003 have vulnerabilities that might allow low-privileged users to change properties associated with certain Windows services. The risk is minimized by the fact that the user must already have logon credentials; anonymous exploitation of this hole is not possible.
Beyond patching weaknesses detailed in these two bulletins Microsoft did not have any other additional updates this month, making this a relatively quiet Tuesday compared to the past two months. Last month, the company released seven security patches, six of which were considered critical. And in January Microsoft released an out-of-cycle patch to cover the much-hyped WMF vulnerability, as well as two other "critical" patches during its normal release.