As with last month's bulletin, a heartening trend is starting to emerge: None of the security issues disclosed this month affected Office 2007 or Windows Vista. However, four bulletins in this month's batch were pulled at the last minute -- one of which was possibly slated to address a zero-day problem in Word and Office.
There's also been word of a published zero-day exploit in Vista that has not been patched yet. But because the exploit appears to require authenticated access to the target system in order to implement the attack, it's not as urgent.
- Vulnerabilities in Microsoft Excel could allow remote code execution (927198): This addresses a set of vulnerabilities in Excel 2000, Excel 2002, Excel 2003 and the Excel 2003 Viewer that could allow code to be executed in Excel through malformed documents. Several earlier security problems with Excel are also encompassed by this fix, so it's a replacement for an earlier bulletin that addresses some of the same issues. Excel 2007 is not affected.
- Vulnerabilities in Microsoft Outlook could allow remote code execution (925938): This covers three vulnerabilities in Outlook, two of which could be used to execute code and a third that could be used as a denial-of-service attack. Outlook 2000, 2002 and 2003 are affected, but Outlook 2007 is not affected.
Note that there is an issue with applying these fixes where a patched copy of Outlook suddenly can't save Office Saved Searches (OSS) files. The Knowledge Base article describing this issue has a workaround.
- Vulnerability in Vector Markup Language could allow remote code execution (929969): Addresses a problem in Windows and Internet Explorer where a buffer overflow, which interferes with the implementation of Vector Markup Language, could allow someone to execute arbitrary code. This update replaces a previous fix and applies to all existing versions of Windows and IE,,up to and including IE7. It does not apply to Windows Vista, nor does it apply to IE7 running on Windows Vista.
- Vulnerability in Microsoft Office 2003 Brazilian Portuguese grammar checker could allow remote code execution (921585): A vulnerability exists in Brazilian Portuguese language editions of Office 2003, wherein it would be possible to remotely execute code in a document undergoing a grammar check by that edition of Office. This affects all Brazilian Portuguese language editions of Office 2003, but it does not affect Office 2007 or other editions of Office before Office 2003.
About the author: Serdar Yegulalp is editor of the Windows Power Users Newsletter. Check it out for the latest advice and musings on the world of Windows network administrators -- and please share your thoughts as well!
This was first published in January 2007