Jack Writes: Microsoft’s Patch Tuesday has just passed, and once again, the company from Redmond has offered the image of a Microsoft Office for which the number of patched flaws and discovered vulnerabilities exceeds by far the number of non-security related upgrades.
Thus, the two patches issued by Microsoft addressed six Office flaws, dubbed “critical” by the company, and one less significant but still important Windows flaw.
As BetaNews reports, the patch dealing with the Office vulnerability contained fixes for five issues within Excel, including malformed range, file format parsing, description, graphic and record flaws. In each case, an attacker could take complete control of an affected system if the user was logged in as an administrator.
Microsoft also fixed a flaw that occurs when using a malformed routing slip within an Office document. Remote code execution as well as a complete system takeover would also be possible through this vulnerability.
The Windows patch was for a vulnerability discovered by a pair of Princeton Researchers. In computers running either Windows Server 2003 without the service pack or Windows XP SP1, a privilege vulnerability flaw exists that would allow an attacker to easily find privilege escalation vulnerabilities in third-party applications.
Proof of concept code for this flaw was released publicly one month ago, and detailed how ACLs -- short for access control lists -- could be exploited. These tables of data tell the computer what rights a user has for each system object.
However, coding errors resulted in vulnerabilities that allow these lists to be bypassed by attackers.
As it usually does, the company recommended all its users to update as soon as possible, either by Windows Update or the built-in Automatic Updates feature.