Wednesday, February 13, 2008

Black Tuesday but no patch for Excel vulnerability???

Microsoft Really SucksYesterday, Microsoft had released their monthly security updates with eleven patches. There were six patches for Windows OS (from Windows 2K to XP, some even for Vista). One patch for Internet Explorer and four patches for various Office products. Among the 11 patches, 6 were classified as critical and 5 were important. Most of the vulnerabilities had the ability of remote code execution. Patching them were highly recommended.

There isn't any surprise to see so many "critical" patches from Microsoft's monthly "Black Tuesday". I was surprised when there wasn't any patch for the Excel vulnerability that was announce by Microsoft last month (refer to previous blog "Vulnerability in Microsoft Excel..." - Jan 17). This vulnerability was consider "critical" as a attacker can specially crafted an Excel file that trigger a memory corruption error and execute arbitrary code on the target system.

Looking at the Knowledge Base (KB) numbers that were patched this month, it seems that Microsoft have alot of backlogs to clear as they are still patching October vulnerability KB942695.

Related Reports:
- Microsoft Security Bulletin Summary for February 2008

- Microsoft Security Advisory (947563), Vulnerability in Microsoft Excel Could Allow Remote Code Execution

No comments: