Microsoft warns of 3 critical vulnerabilities

The critical vulnerabilities are in Excel, Outlook and Internet Explorer.

An important vulnerability is in the Office 2003 Brazilian Portuguese Grammar Checker.

Excel

A remote code execution vulnerability exists in Microsoft Excel. An attacker could exploit this vulnerability when Excel parses a file and processes a malformed IMDATA record.

If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less affected than users who operate with administrative user rights.

Outlook

There’s a remote code execution vulnerability in Microsoft Outlook as well. An attacker could exploit this vulnerability when Outlook parses a file and processes a malformed VEVENT record.

A denial of service vulnerability exists in Outlook in its processing of e-mail header information. An attacker who successfully exploited the vulnerability could send a malformed e-mail to a user of Outlook that would cause the Outlook client to fail under certain circumstances. The Outlook client would continue to fail so long as the malformed e-mail message remained on the e-mail server. The e-mail message could be deleted by an e-mail administrator, or by the user via another e-mail client such as Outlook Web Access or Outlook Express, after which point the Outlook client would again function normally.

An attacker could exploit this vulnerability when Outlook parses an .oss file.

If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less affected than users who operate with administrative user rights.

Internet Explorer

An attacker could exploit the remote code execution vulnerability in the Vector Markup Language by constructing a specially crafted Web page or HTML e-mail that could potentially allow remote code execution if a user visited the Web page or viewed the message. An attacker who successfully exploited this vulnerability could take complete control of an affected system.

Users are recommended to update as soon as possible.

If you want more information about these Security Bulletins do check out the TechNet Webcast that will present a brief overview of the technical details of the January security bulletins followed by an extensive Q&A session that will give you the opportunity to ask questions and get answers from the presenters:

  • Christopher Budd, CISA, CISM, CISSP, ISSMP Security Program Manager, PSS Security, Microsoft Corporation
  • Mike Reavey, Lead Security Program Manager, Microsoft Corporation.



Share this