Posted by Virus Bulletin on Feb 13, 2008
Excel remains vulnerable as expected fix is dropped.
Microsoft has issued its monthly 'Patch Tuesday' set of security updates, with a larger than usual crop of patches for a variety of products, including several for the Office range and Internet Explorer browser. However, one significant patch - for a vulnerability in Excel - was withdrawn from the release after being included in a pre-release notification issued last week.
Of the 11 patches released yesterday, six are marked 'Critical', including updates for Word, Publisher, the Office suite as a whole and the OLE automation system. Internet Explorer is covered with a cumulative patch bundle fixing at least four separate flaws. The five lesser flaws, still rated 'Important', affect Active Directory, the Windows TCP/IP implementation, IIS and Works.
The Excel vulnerability, which was reported to be subject to exploitation in the wild last month, was expected to be fixed in this release, and was included in the official advance notification issued by Microsoft on Thursday last week. However, due to some issues arising during last-minute testing, the patch was withdrawn, and the vulnerability looks likely to remain open until the next Patch Tuesday, in March.