Patch Tuesday Won't Fix Excel Hole March's Patch Batch Won't Include Fix for Excel Vulnerability Stuart J. Johnston
Microsoft plans to ship three patches for Windows next week on March's "Patch Tuesday," but they won't include a patch for a nasty bug in Excel that the company alerted customers about late last month.
The Excel hole leaves users at risk for complete compromise of their systems if they open or save a poisoned Excel file.
What's worse, by the time Microsoft's Malware Protection Center released its Security Advisory about the problem on Feb. 24, the company and outside security researchers had already detected zero-day (define) attacks in the wild exploiting the flaw.
Microsoft subsequently shipped an update to its Forefront Client Security, Windows Live OneCare and Windows Live OneCare safety scanners in late February to help protect customers, but admitted that the update, numbered 1.51.1105.0, is not a complete fix.
While the coming Patch Tuesday update won't include a more longer-lasting fix for the Excel vulnerability, Microsoft said it would release three other bug patches, all for Windows. One of them, concerning a fix to prohibit remote code execution, is rated "critical." The two remaining fixes are targeted at spoofing attacks, and are rated "important."
It's not yet clear how Microsoft will address the threat facing Excel users.
Zero-day attacks enabled by the vulnerability could be used for "spearphishing" — phishing targeted at a select pool of victims, according to antivirus vendor Symantec, which discovered the threat.
In its February Security Advisory, Microsoft said "limited and targeted attacks" had been reported using the vulnerability.
Users could be affected if they use Excel 2000 Service Pack 3 up through Excel 2007 SP1, as well as the Excel Viewer. Additionally, Excel 2004 and 2008 for the Apple Mac are also at risk.
Microsoft's advice is for users not to open any Excel file that comes from an untrusted source or that seems out of the ordinary. Besides commonsense solutions, however, the company also recommends that users of Office 2003 and Office 2007 install the Microsoft Office Isolated Conversion Environment (MOICE), which could provide an additional measure of insulation from the attack.
A Microsoft spokesperson said Friday that Microsoft is "still investigating" the Excel attacks. The original security advisory says that once the problem is understood, Microsoft will decide how to fix it, including the possibility of releasing an "out of cycle" security patch.
Microsoft plans to ship three patches for Windows next week on March's "Patch Tuesday," but they won't include a patch for a nasty bug in Excel that the company alerted customers about late last month.
