23 Security Fixes Just Released: Experts Astounded

Microsoft's Patch Tuesday came and went yesterday, bringing 23 fixes for a number of issues with its popular Office programs Excel and Word. At least several of these have been marked critical and most users should certainly consider the download. (Source: theregister.co.uk)

The most critical of the patches fixes an Excel flaw that could potentially allow a hacker to take remote control of an unpatched system. If an unprotected user opens a malicious and specially crafted Excel file, they could find their computer controlled by someone else effectively exploiting something called an Unspecified Remote Code Execution Vulnerability in Excel. Those PC users employing Microsoft Office editions for the years 2002, 2003, and 2007 should apply the fix. Even Mac users online with Microsoft Office 2004 and 2008 are vulnerable, an MS bulletin suggests. (Source: cnet.com)

Remote Code Execution Threatens Office, Explorer

Similar remote execution flaws in WordPad and other Office utilities are also being patched with this most recent download. Word users running 2000 or 2002 editions of the popular word processing tool are most encouraged to update. Given that this is exam time at most universities across North America, it might be a good idea for students to follow the advice.

Windows 2000, XP, XP Professional, and Windows Server 2003 users are also informed that they are vulnerable to a remote attack.

The patch hardly stops there, however.

Microsoft's ubiquitous Internet Explorer browser is also vulnerable to a series of four critical issues, which collectively could lead to a remote code execution. This time the problem isn't linked to a malicious file, but a specially constructed web site that has the potential to attack a server through HTTP. Internet Explorer 5 through 7 are affected.

"We were astonished..." Say Security Experts

Other remote code execution fixes have been included addressing issues in DirectX 8 and 9. A less likely hack for Windows OS versions from 2000 to Vista and Server 2003 and 2008 have also been fixed; although the issue requires a hacker to log onto a system themselves before running a malicious application, it's still worth updating just in case your computer is lost, stolen, or misplaced. (Source: pcmag.com)

Most security experts are startled at the number of threats this patch addresses. "We were astonished to see how many zero-days are in [this past Tuesday's] release," said Wolfgang Kandek, Qualys' CTO. "For the IT guys, that means their window has just shrunk to zero to get these things fixed." (Source: cnet.com)