Microsoft issued four “critical” patches, including one for the zero-day Excel vulnerability reported in January, in its March Patch Tuesday round of bug fixes. In all, the company corrected 12 vulnerabilities, all client-side problems associated with its Microsoft Office productivity suite.
“Every single patch is critical and needs to be seriously considered for remediation,” Paul Zimski, senior director of market strategy at Lumension Security, told SCMagazineUS.com on Tuesday. “All of them allow all remote code execution, so the ultimate impact is an attacker could run malicious code remotely and take over the computer.”
Eric Schultze, chief technology officer at Shavlik Technologies, told SCMagazineUS.com that he believes the Microsoft Outlook patch, MS08-015, is the most important of the fixes.
“It corrects something we haven’t seen before,” he said.
This vulnerability allows an attacker to place a malicious “mailto:” URI link on a webpage. The link, which opens the user’s email client’s “compose” window, could also contain a command that executes malicious code in the background on the user’s system, he said.
“People know not to open Word and Excel documents [that] they don’t trust, but we’ve never talked about being careful about clicking on email links,” Schultze said. “It’s the first time we’ve had something like this.”
He said the “mailto:” link could, as an example, contain more characters than the field allows, leading to a buffer overflow; or it could cause a heap overflow or a buffer under-run. Any of those could allow malicious code to execute.
“I’m guessing we’ll see exploit code for this soon because it’s pretty easy to do,” Schultze said. “We could see malware and phishing websites start to use this, with code embedded in ‘mailto:’ links, in a couple of weeks.”
The Excel patch, MS80-014, originally expected last month, should also rank high on system administrators’ radars. This is an Excel macro validation issue that would allow an attacker to craft a malicious Excel file that, when opened on a vulnerable system, would permit a system takeover, Amol Sarwate, manager of the vulnerability lab at Qualys, told SCMagazineUS.com.
“When a victim opens the Excel attachment, the macro validation runs with all the credentials of the user,” Sarwate said. “It can then install malware, read and delete files — anything the user can do.”
Microsoft has said this vulnerability has been exploited since January, when it was first reported. Microsoft had indicated prior to February’s batch of patches that it planned to fix the Excel vulnerability last month, but did not do so.
The Microsoft Office Web Components vulnerability (MS80-017) “stands out because these ActiveX components are widely distributed and relatively easy to exploit,” Ben Greenbaum, senior research manager for Symantec’s Security Response team, said. “We’ve observed attackers continuing to target web plug-ins in their quest to quickly and quietly install malicious code onto users’ computers.
The Web Components issue “is interesting because the vulnerability exists inside Office but the attack occurs through the web, not via an Office file, which makes it unique,” Zimski said. The Web Components is a COM object that allows publishing Word or Excel documents on the web, he explained, and an unpatched system could be taken over merely by visiting a website populated with malicious code. (COM objects are used in interprocess communications within the Windows operating environment.)
Attackers are shifting their target from servers to client-side applications because Microsoft has done a good job of shoring up server-side vulnerabilities, Schultze said.
“Client-side vulnerabilities are like shooting fish in a barrel because there are so many of client-side applications — Adobe Reader, RealPlayer, Firefox and Internet Explorer — they’re more prevalent and easier to find” than server-side bugs.