Microsoft has patched a variety of vulnerabilities in its ubiquitous Office suite which create a means for hackers to attack vulnerable systems. The critical (cumulative MS06-012 (http://www.microsoft.com/technet/security/Bulletin/MS06-012.mspx)) update, along with a security fix (MS06-011 (http://www.microsoft.com/technet/security/Bulletin/MS06-011.mspx)) to defend against an "important" privilege escalation flaw in Windows, form a brace of patches issued by Microsoft as part of its regular monthly Patch Tuesday update cycle.

The update (http://secunia.com/advisories/19138) covers bugs in various versions of Excel including one involving the processing of files with a malformed range as well as a flaw in Office that creates a memory corruption risk when processing a specially crafted 'routing slip'.

Security firm McAfee reckons that exploits targeting the Office vulnerabilities are highly likely. "Additionally, exploits targeting MS06-011 are already present that allow authenticated users to escalate their privileges remotely on affected systems," said Monty Ijzerman, manager of security content for McAfee Avert Labs.

Other security experts point out that the Office update is largely a collection of previously available fixes. "The [Office update] is really a collection of several different fixes in one update including more "file format" problems that have been commonplace over the last six months. The good news is the updates are all available at the same time," said Alan Bentley, managing director of patch management firm PatchLink.

"However, for organisations that are not using an automated patch management system to deploy patches, getting the exact patch required to the right system could prove to be a little frustrating and challenging. In this particular case there are 10 different download links to get the various applicable patches for Windows and Macintosh." ®

Related stories

When PowerPoint presentations attack (17 July 2006)
http://www.theregister.co.uk/2006/07/17/powerpoint_trojan/
Exchange flaw poses 'worm risk' (10 May 2006)
http://www.theregister.co.uk/2006/05/10/ms_patch_tuesday/
MS Word causes academic dust-up (24 April 2006)
http://www.theregister.co.uk/2006/04/24/word_academic_publishing/
MS patch glitch cripples HP computers (18 April 2006)
http://www.theregister.co.uk/2006/04/18/ms_patch_glitch/
'Critical' IE bug threatens PC users (27 March 2006)
http://www.theregister.co.uk/2006/03/27/another_ie_security_flaw/
Microsoft sets Apple straight on security (23 March 2006)
http://www.theregister.co.uk/2006/03/23/microsoft_apple_security/
Zombie PCs menace mankind (7 March 2006)
http://www.theregister.co.uk/2006/03/07/symantec_net_threat_report_2h2005/
Seven patches for St Valentine's patch Tuesday (15 February 2006)
http://www.theregister.co.uk/2006/02/15/ms_patch_tuesday/
Lawsuit forces users to update Microsoft Office (7 February 2006)
http://www.theregister.co.uk/2006/02/07/microsoft_office_access_infringement/
More cracks appear in Windows (11 January 2006)
http://www.theregister.co.uk/2006/01/11/ms_january_patch_tuesday/
World+dog scrambles to fight Windows flaw (3 January 2006)
http://www.theregister.co.uk/2006/01/03/wmf_workaround/