Microsoft issued seven patches on Tuesday to fix 18 flaws, the lion's share of which could allow an attacker to compromise systems running Microsoft Office 2000 applications.
One bulletin, MS06-037, described eight flaws in Microsoft Excel, each earning an "Important" rating from Microsoft--the company's second highest--for Excel 2002, Excel 2003, Excel 2004 for Mac and Excel v. X for Mac. The flaws could allow an attacker to create an Excel file which, when opened by a user, could compromise the system. However, Microsoft ranked the flaws as "Critical"--its highest severity for vulnerabilities--on Excel 2000, because that application does not open a dialog box asking the user to "Open, Save or Cancel?"
Five other flaws similarly affected Microsoft Office, earning a "Critical" severity for Office 2000 and an "Important" designation for all other versions of the productivity suite.
The Internet Storm Center, a group of volunteers funded by the SANS Institute, classified one of two flaws in the Windows Server service as the most critical vulnerability patched this month.
"The vulnerability can be exploited remotely against the 'Server' service," the ISC said on its site. "So this would definitely be something that could be used for widespread compromise with no user interaction, or a worm."
Other flaws described in July's bulletins include an information disclosure issue in Microsoft .NET Framework, a vulnerability in IIS, and a critical vulnerability in the Windows client for handling the Dynamic Host Configuration Protocol (DHCP). The DHCP issue could allow an attacker on the same subnet to compromise any Windows computer by responding to a request for an IP address with a specially crafted packet.
Posted by: Robert Lemos