July followed June in being a busy month for security updates from Microsoft, seeing the release of five critical and 2 important updates.

The updates for Microsoft Office and in particular Excel had been widely expected. Three of the critical updates fix several problems in this area, which potentially allow remote code execution. However, many of these vulnerabilities require user action, such as opening an Excel spreadsheet from an unknown or untrusted source. User education is as much the answer to eliminating these security problems as software fixes.

The other updates cover a variety of Windows components and Microsoft services, including critical updates for both the Server Service and the DHCP client, both of which could allow an attacker to take control of a vulnerable system (remote code execution). The fact that even the humble DHCP client (that obtains a dynamic IP address for a computer from a DHCP server) is a potential target for attacker illustrates just how difficult it must be for Microsoft to ensure security.

Apart from the Excel and Office vulnerabilities, the last month has seen several other reports of other Microsoft software vulnerabilities in components such as Internet Explorer, some of which remain unpatched at the time of writing.

Further information:

• Microsoft: Security Bulletin Summary for July, 2006
• US-CERT: Vulnerability Note VU#159220 - Microsoft Internet Explorer vulnerable to heap overflow via the HTML Help Control "Image" property
• Altravision: A Bad Week For Excel - Third Flaw Discovered
• Altravision: Second Excel Flaw Discovered - Beware Links!