MS08-014: Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (949029)
MS08-015: Vulnerability in Microsoft Outlook Could Allow Remote Code Execution (949031)
MS08-016: Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (949030)
MS08-017: Vulnerabilities in Microsoft Office Web Components Could Allow Remote Code Execution (933103)
Microsoft Security Bulletin MS08-014
This security update resolves several privately reported and publicly reported vulnerabilities in Microsoft Office Excel that could allow remote code execution if a user opens a specially crafted Excel file. An attacker who successfully exploited these vulnerabilities could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
This security update is rated Critical for Microsoft Office Excel 2000 Service Pack 3 and rated Important for Excel 2002 Service Pack 3, Excel 2003 Service Pack 2, Excel Viewer 2003, Excel 2007, Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats, Office 2004 for Mac, and Office 2008 for Mac. For more information, see the subsection, Affected and Non-Affected Software, in this section.
This security update addresses these vulnerabilities by modifying the way that Microsoft Excel performs validations when opening Excel files. For more information about the vulnerability, see the Frequently Asked Questions (FAQ) subsection for the specific vulnerability entry under the next section, Vulnerability Information.
This security update also addresses the vulnerability first described in Microsoft Security Advisory 947563.
Recommendation. Microsoft recommends that customers apply the update immediately
Known Issues. Microsoft Knowledge Base Article 949029 documents the currently known issues that customers may experience when they install this security update. The article also documents recommended solutions for these issues.
For more information about this bulletin, please click here.
Microsoft Security Bulletin MS08-015
This security update resolves a privately reported vulnerability in Microsoft Office Outlook. The vulnerability could allow remote code execution if Outlook is passed a specially crafted mailto URI. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. This vulnerability is not exploitable by simply viewing an e-mail through the Outlook preview pane.
This security update is rated Critical for supported editions of Microsoft Office Outlook 2000 Service Pack 3, Outlook 2002 Service Pack 3, Outlook 2003 Service Pack 2 and Service Pack 3, and Outlook 2007. For more information, see the subsection, Affected and Non-Affected Software, in this section.
This security update addresses these vulnerabilities by modifying the way that Microsoft Outlook handles mailto URIs. For more information about the vulnerability, see the Frequently Asked Questions (FAQ) subsection for the specific vulnerability entry under the next section, Vulnerability Information.
Recommendation. Microsoft recommends that customers apply the update immediately
Known Issues. None
For more information about this bulletin, please click here.
Microsoft Security Bulletin MS08-016
This security update resolves two privately reported vulnerabilities in Microsoft Office that could allow remote code execution if a user opens a malformed Office file. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
This security update is rated Critical for supported editions of Microsoft Office 2000 and rated Important for supported editions of Microsoft Office XP, Microsoft Office 2003 Service Pack 2, Microsoft Excel Viewer 2003 and Microsoft Excel Viewer 2003 Service Pack 3, and Microsoft Office 2004 for Mac. For more information, see the subsection, Affected and Non-Affected Software, in this section.
This security update addresses these vulnerabilities by modifying the way that Microsoft Office allocates memory. For more information about the vulnerability, see the Frequently Asked Questions (FAQ) subsection for the specific vulnerability entry under the next section, Vulnerability Information.
Recommendation. Microsoft recommends that customers apply the update immediately
Known Issues. None
For more information about this bulletin, please click here.
Microsoft Security Bulletin MS08-017
This critical update resolves two privately reported vulnerabilities in Microsoft Office Web Components. These vulnerabilities could allow remote code execution if a user viewed a specially crafted Web page. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
This is a critical security update for implementations of Microsoft Office Web Components 2000 on supported editions of Microsoft Office 2000 Service Pack 3, Microsoft Office XP Service Pack 3, Visual Studio .NET 2002 Service Pack 1, Visual Studio .NET 2003 Service Pack 1, Microsoft BizTalk Server 2000 and Microsoft BizTalk Server 2002, Microsoft Commerce Server 2000, and Internet Security and Acceleration Server 2000 Service Pack 2. For more information, see the subsection, Affected and Non-Affected Software, in this section.
This security update addresses the security vulnerabilities by modifying the way that Microsoft Office Web Components handles error conditions and manages memory resources, and by setting the kill bits for Microsoft Office Spreadsheet 2000 controls. For more information about the vulnerabilities, see the Frequently Asked Questions (FAQ) subsection for the specific vulnerability entry under the next section, Vulnerability Information.
Recommendation. Microsoft recommends that customers apply the update immediately.
Known Issues. None
For more information about this bulletin, please click here.