Microsoft: No patch for Excel zero-day flaw next week
Plans to deliver three updates for Windows, including one 'critical'
March 5, 2009 12:00 PM ETComputerworld - Microsoft Corp. today said it will deliver three security updates on Tuesday, one of them ranked as "critical," but will not fix an Excel flaw that attackers are now exploiting.
All three updates spelled out in today's notice will tackle vulnerabilities in Windows, but as is its practice, Microsoft did not drill any deeper than to specify which versions will be affected.
"It's pretty nebulous," said Andrew Storms, director of security operations at nCircle Network Security Inc. "They could be any number of a billion of things."
The critical update will affect all still-supported editions of the operating system, starting with Windows 2000 and running through XP, Server 2003, Vista and Server 2008. By Microsoft's definition, "critical" means that unpatched PCs can be hijacked without any action by the user.
Both remaining updates were labeled "important," Microsoft's second-highest ranking in its four-step system, and were also described as "spoofing" bugs, a term that typically indicates they could be used trick users into divulging confidential information.
One of the spoofing patches will update all supported versions of Windows, while the second targets only Server 2000, Server 2003 and Server 2008 systems.
"It doesn't look like we're going to see patches for any open Microsoft security advisories," said Storms, pointing to three that have not yet been closed. Those include two advisories issued last year -- one from April 2008, and another from December -- and the alert published just last week about a vulnerability in Excel that attackers are already exploiting.
Last week, Microsoft downplayed that threat, saying that the company's security experts had seen only a small number of attacks. According to researchers at Symantec Corp., the vulnerability is a file format bug in all supported versions, including the latest -- Excel 2007 on Windows and Excel 2008 for the Mac.
"I'm not really surprised that the Excel vulnerability won't be patched, what with the timeline," said Storms, "but the others have been open for a long time."
Today's notice also warned users that all three updates will require rebooting. "Let's just call it Reboot Tuesday," Storms quipped.
Microsoft will release March's three updates at approximately 1 p.m. Eastern on Tuesday.
Read more about security in Computerworld's Security Knowledge Center.
Microsoft
Additional Resources



Learn the important issues you must consider before starting your next mobility initiative. Get your mobility white paper from IDC now, compliments of Sybase.
White Papers & Webcasts
Death to PST Files
Download Now
The Tangled Web: Silent Threats & Invisible Enemies
Download Now
Tape Killed the IT Guy
Watch Now
Forrester Consulting Mobility Study: Taking Control of Enterprise Mobile Device Diversity
Download Now
BRM: What You Can Do To Reduce Risk In Challenging Times
Watch this webcast now!
What IT Must Do to Support Employee-Owned BlackBerry, iPhone and Android Mobile Devices
Download Now
Web 2.0, Social Media and the Dark Web - A Web Criminals Paradise?
In this discussion, learn about the challenges of protecting your users from the potentially unsafe content hidden in the "Dark Web".
eGuide: Enterprise Security
Smart Security Strategies for 2010. Read now!
Disaster Recovery 2008: Reduced Costs and Improved Performance
How long can your Enterprise afford to be without your data? With an accelerated disaster recovery program, you never have to answer this...

