Excel holes patched in March security update
March seems to be Excel month in Microsoft’s “patch Tuesday” calendar, with seven vulnerabilities patched this week in the spreadsheet program, and another six addressing the Office Excel Viewer, Office Compatibility Pack and SharePoint Server.
The company also acknowledged a so called zero-day flaw in its Internet Explorer browser. The latest version, Internet Explorer 8, is not affected, the company said. The weak spot means that someone using the browser could be vulnerable to a malware download if they visit a website designed to exploit it. According to some security analysts, this technique was used to stage the concerted attacks on Google’s Chinese operations in January.
The Excel vulnerabilities were all classed as “Important” rather than “Critical” because they require the user to open an infected spreadsheet file – now a two-step process. The fixes apply to all versions of Excel from the 2002 edition onwards and include the Excel Viewer and Office Compatibility Pack. The Excel 2004 and Office 2008 Mac versions are affected as is the Open XML File Format Converter for Mac.
The Excel Services component within Microsoft Office SharePoint Sever 2007 is also vulnerable, requiring four more individual updates.
As well as not opening unsolicited spreadsheet attachments, Excel users and their system managers are urged to download and apply the patches as soon as possible, if this is not already done by Microsoft’s automatic Windows Update system.