Believe it or not, March has been a pretty busy month for critical updates. It has also included the most severe rating vulnerability a program flaw or malware can achieve. Microsoft’s monthly update came out on the 14th and it addresses a critical flaw that affects a number of different MS Office components, as well as, seven versions of MS Works.
In addition to the Critical Office vulnerability, Macromedia’s Flash Player has a critically rated vulnerability as well. If an unpatched Java player runs a specially crafted swf file (Flash file type), it could allow an attacker a level of authority in a system that would scare anyone.
Microsoft’s March security patch addresses a vulnerability that is present in several versions of Microsoft’s Office suite (complete list of affected Office versions below). If this vulnerability is successfully exploited, it can give an attacker all the permissions they need to control your system. By opening a specially crafted malformed file in any of the affected Office programs , the system will grant the attacker the same rights as the current user. If the user is logged on under an Administrator Account, the attacker will have permissions in your system to install programs, view and change or delete data. They will also be able to create new accounts. You don’t have to be a security expert to know that this is bad news.
On the flip side of the coin, those who use the more secure practice of logging on as an Administrator only when needed and using a Limited User Account when it is not, can significantly lower the payload of a successful attack.
Here’s a complete list of the Microsoft products that are affected by this vulnerability:
• Microsoft Office 2000 Service Pack 3
• Microsoft Word 2000
• Microsoft Excel 2000
• Microsoft Outlook 2000
• Microsoft PowerPoint 2000
• Microsoft Office 2000 Multilanguage Packs
• Microsoft Office XP Service Pack 3
• Microsoft Word 2002
• Microsoft Excel 2002
• Microsoft Outlook 2002
• Microsoft PowerPoint 2002
• Microsoft Office XP Multilingual User Interface Packs
• Microsoft Office 2003 Service Pack 1 or Service Pack 2
• Microsoft Excel 2003
• Microsoft Excel 2003 Viewer
Affected Microsoft Works Suites:
• Microsoft Works Suite 2000
• Microsoft Works Suite 2001
• Microsoft Works Suite 2002
• Microsoft Works Suite 2003
• Microsoft Works Suite 2004
• Microsoft Works Suite 2005
• Microsoft Works Suite 2006
• Microsoft Office X for Mac
• Microsoft Excel X for Mac
• Microsoft Office 2004 for Mac
• Microsoft Excel 2004 for Mac
• Microsoft Office Excel 2000 Viewer
• Microsoft Office Excel 2002 Viewer
• Microsoft Word 2003
• Microsoft Outlook 2003
• Microsoft PowerPoint 2003
You can find the link to any patch you may need here.
As for the Adobe Macromedia Flash Player flaw, it also has a critical rating. There have been security bulletins posted on both Adobe’s and Microsoft’s Web sites describing the severity of the vulnerability. The Java Player which allows users on the Web to view animations, movies and other rich content can be used to breach your system’s security. By using specially crafted swf files (file format that Flash Players read) an attacker can take advantage of this dangerous security hole and that’s all it takes. Once in a system, an attacker can execute arbitrary code using e-mail or your web browser, among other applications.
The update for the Flash Player can be found in the link below and will update your version from 220.127.116.11 to 18.104.22.168. This patch of course will secure the security hole allowing you to enjoy all of those great Flash files without wondering who’s creeping around your back door.
Download the update for Adobe’s Macromedia Java Flash Player here: http://www.macromedia.com/support/flash/downloads.html
~ Chad Stelnicki