Excel, Office '07 affected by patch updates; Vista left alone

There's also been word of a published zero-day exploit in Vista that has not been patched yet. But because the exploit appears to require authenticated access to the target system in order to implement the attack, it's not as urgent.

Here's a breakdown of what's in Microsoft's January 2007 security bulletin.

Critical vulnerabilities:

• Vulnerabilities in Microsoft Excel could allow remote code execution (927198): This addresses a set of vulnerabilities in Excel 2000, Excel 2002, Excel 2003 and the Excel 2003 Viewer that could allow code to be executed in Excel through malformed documents. Several earlier security problems with Excel are also encompassed by this fix, so it's a replacement for an earlier bulletin that addresses some of the same issues. Excel 2007 is not affected.

• Vulnerabilities in Microsoft Outlook could allow remote code execution (925938): This covers three vulnerabilities in Outlook, two of which could be used to execute code and a third that could be used as a denial-of-service attack. Outlook 2000, 2002 and 2003 are affected, but Outlook 2007 is not affected.

  Note that there is an issue with applying these fixes where a patched copy of Outlook suddenly can't save Office Saved Searches (OSS) files. The Knowledge Base article describing this issue has a workaround.

• Vulnerability in Vector Markup Language could allow remote code execution (929969): Addresses a problem in Windows and Internet Explorer where a buffer overflow, which interferes with the implementation of Vector Markup Language, could allow someone to execute arbitrary code. This update replaces a previous fix and applies to all existing versions of Windows and IE,,up to and including IE7. It does not apply to Windows Vista, nor does it apply to IE7 running on Windows Vista.

Important vulnerabilities:

• Vulnerability in Microsoft Office 2003 Brazilian Portuguese grammar checker could allow remote code execution (921585): A vulnerability exists in Brazilian Portuguese language editions of Office 2003, wherein it would be possible to remotely execute code in a document undergoing a grammar check by that edition of Office. This affects all Brazilian Portuguese language editions of Office 2003, but it does not affect Office 2007 or other editions of Office before Office 2003.

About the author: Serdar Yegulalp is editor of the Windows Power Users Newsletter. Check it out for the latest advice and musings on the world of Windows network administrators -- and please share your thoughts as well!

Rate this Tip To rate tips, you must be a member of SearchEnterpriseDesktop.com. Register now to start rating these tips. Log in if you are already a member. Submit a Tip Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Patches, alerts and critical updates Structuring patch management in seven steps Underlying causes of inconsistent patch management Microsoft's Online Desktop Manager caters to small IT shops Microsoft's Patch Tuesday brings a bumper crop of security fixes Act fast with five critical September patches Microsoft's August patches run the gamut Patching third-party browsers adds more work in Windows shops Troubleshooting Microsoft WSUS connectivity issues Windows security tools for the busy desktop administrator The state of enterprise security and emerging threats in 2009 RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary drive-by download  (SearchEnterpriseDesktop.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.