Microsoft's security updates Tuesday will probably include a fix for a vulnerability in Excel that has been exploited by attackers for several weeks, a researcher said today. But he told users not to expect a fix for another bug that the company acknowledged more than two months ago.
According to the prepatch notice Microsoft issued last week, three of the 12 security updates will address critical flaws in Microsoft Office. However, none cited Excel, the suite's spreadsheet application, and the notice instead referred to bugs in Publisher and Word, plus a generic third flaw in Office 2000, Office XP and Office 2003.
About a month ago, Microsoft posted a security advisory confirming that attacks against Excel were in progress. Then, the company recommended that Office 2003 users run suspect Excel files through MOICE (Microsoft Office Isolated Conversion Environment), a free conversion tool released last year that converts Office 2003 format documents into the more secure Office 2007 formats to strip out possible exploit code. It also told users to think about using File Block, a last-ditch defense that lets administrators block select Office file types.
Andrew Storms, director of security operations at nCircle Network Security Inc., noted that the Office updates account for a third of Tuesday's patches. "For Microsoft not to address the single publicly-debated vulnerability in Excel would be a big misstep," he said. "Some debate that the Excel bug isn't a big threat, and even Microsoft seemed to downplay its risk with its carefully chosen wording in the security advisory.
"Let's hope they fix it tomorrow," Storms added.
Another long-known vulnerability in Windows, however, probably won't make the final list, Storms said. "The WPAD issue, which was published on Dec. 3 in a security [advisory] from Microsoft, has continued to confuse the industry," he noted. "[But] based on the information in the advanced notification matrix, I'm not seeing one that seems fit nicely into a potential WPAD fix."
More than two months ago, Microsoft acknowledged a bug in how Windows looks up other computers on the Internet. The vulnerability was dubbed Web Proxy Auto-Discovery (WPAD), but it is actually a flaw in the way Windows looks up Domain Name System information. The problem was originally patched in 1999, but it resurfaced in November when a researcher pointed out that it had crept back into later versions of Windows.
The flaw, which could let attackers steer users to an untrustworthy WPAD server, didn't make it into either the December 2007 or January 2008 patch cycles.
"The debate [over WPAD] is whether or not the risk of this known vulnerability warrants a bug fix and in what timeline," said Storms. "Many, including myself, have speculated that based on the known vulnerability details, that a fix shouldn't require an immense amount of engineering time." Storms repeated his earlier belief that Microsoft may have held a WPAD patch for additional testing. "The fix may represent a bigger potential liability to the large enterprise which relies on this feature," he said.
Assuming Microsoft does not yank one or more of the updates at the last minute -- it has done just that at times -- it will roll out the 12 bulletins around 1 p.m. Eastern time Tuesday through Windows Update and WSUS (Windows Server Update Services).