The following is a list of what new goodies our faithful friend, Microsoft, has removed from their big bag of presents:

MS07-001: Vulnerability in Microsoft Office 2003 Brazilian Portuguese Grammar Checker Could Allow Remote Code Execution.
KB Number: 921585
Severity: Important

MS07-002: Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution.
KB Number: 927198
Severity: Critical

MS07-003: Vulnerabilities in Microsoft Outlook Could Allow Remote Code Execution.
KB Number: 925938
Severity: Critical

MS07-004: Vulnerability in Vector Markup Language Could Allow Remote Code Execution.
KB Number: 929969
Severity: Critical

I highly recomment that these patches be installed once they have been delivered to you via Microsoft’s automatic update service. If, for whatever reason, you do not see them show up anytime soon then I strongly recommend that you force-check for new updates. Once prompted to install these security patches then do so immediately.

What will February have in store for Windows users across the world? Only time will tell!

The unspecified vulnerability affects all versions prior to 2.0.6 whereas the user account enumeration weakness has been confirmed to only affect 2.0.5. Other releases may be affected but have yet to be validated.

In order to mitigate these issues it is highly recommended that users upgrade to Wordpress 2.0.6. It is always recommended to upgrade when critical security issues are located in products that are currently in use.

Googles $6 billion-a-year advertising business is at risk because it cant be sure that anyone is looking at its ads. The problem is called click fraud, and it comes in two basic flavors.

Google is testing a new advertising model to deal with click fraud: cost-per-action ads. Advertisers don’t pay unless the customer performs a certain action: buys a product, fills out a survey, whatever. It’s a hard model to make work — Google would become more of a partner in the final sale instead of an indifferent displayer of advertising — but it’s the right security response to click fraud: Change the rules of the game so that click fraud doesn’t matter.

That’s how to solve a security problem.

Google is definitely taking the right path on this one. The wise words, from an even wiser security expert, should not be ignored.

Security experts have long touted the need for financial Web sites to move beyond mere passwords and implement so-called “two-factor authentication” — the second factor being something the user has in their physical possession like an access card — as the answer to protecting customers from phishing attacks that use phony e-mails and bogus Web sites to trick users into forking over their personal and financial data.

This attack was fairly complex and done exceptionally well. Most security experts would have been able to spot it immediately, however the lay person might not know any better. Just goes to show that just because something is two-factor does not automatically mean that the entirety of its security design is better than if it were single-factor.

The FBI has done some forensic work on the laptop and says it can’t find any evidence that the data was accessed. InfoWorld’s Robert Grimes chimes in to say, Rumsfeld style, that the absence of evidence is not the evidence of absence, since any fool could have simply cloned the disk and then accessed the database on the cloned disk.

Now, there’s also some back in forth in the VA about whether the data analyst was authorized to take the data home. The analyst, who has been fired, says he has a letter authorizing him to take the data home, while the VA says the letter is for a different computer.

What really concerns me is this: why was this analyst working with social security numbers on a laptop, rather than in the office while connected to the network? I can not, for the life of me, come up with a good reason for why this analyst was doing what he was doing, with the data that ultimately ended up stolen.

Although Microsoft does not disclose in advance what flaws are to be patched, two vulnerabilities in Excel are likely to be among the fixes. One issue relates to maliciously crafted spreadsheet files that could lead to a full system compromise, while the other relates to hyperlinks in Excel documents.

Two security flaws affecting Internet Explorer were also reported last week, including a cross-site scripting issue where an attacker could view information in an open browser window from another that is visiting a malicious site.

As usual, Internet Explorer is being fixed yet again. For the second month straight Excel will receive some patch love among a few others that we are not yet aware of. If you are a corporate system administrator then ensure you test these patches on a closed network before deploying throughout your enterprise.

The new feature, called ActiveX Installer Service, will be fitted into the next public release of Vista to provide a way for enterprises to cope with the UAC (User Account Control) security mechanism.

UAC, formerly known as LUA (Limited User Account), is enabled by default in Vista to separate Standard User privileges from those that require admin rights to harden the operating system against malware and malicious hacker attacks.

However, because UAC will block the installation of ActiveX controls on Standard User systems, enterprise applications that use the technology will encounter breakages. ActiveX controls are objects used to enhance a user’s interaction with an application.

This sounds like an exploit that many will be salivating to take control of. While it remains to be seen just how vulnerable this “feature” is, the base description certainly leaves a lot to be desired. How long before a privilege escalation exploit is released?

They school district claims that Google somehow trespassed on their server and made information publicly available. There is very little information about this incident being publicly released, however the following statement really caught my attention:

“One of the students on the list had a presence on the Web,” she said. “In Google’s effort to get information on her, one of its spiders latched onto her name in this document. We were not aware that password-protected sites are set up like that. To our knowledge, Google could only cache unsecure information that did not require a password or username.”

Based on reading the statement by the district I can only surmise that they have incompetent system administrators working on their web server. It is common knowledge by those in the industry that if information is posted on a publicly accessible web site then it can be spidered and indexed by Google. If the information is properly protected then there is no way for Google’s spider to crawl the documents, therefore they will not be included in their index.

Sadly, it appears that nobody is willing to own up and tell the school district that they made a mistake. Taxpayer dollars will be wasted on a baseless lawsuit that could have been avoided if 1) the district hired competent system administrators and 2) the employees properly briefed their supervisors on their own mistakes.

Microsoft is investigating new public reports of limited “zero-day” attacks using a vulnerability in Microsoft Excel 2003, Excel Viewer 2003, Excel 2002, Excel 2000, Microsoft Excel 2004 for Mac, and Microsoft Excel v. X for Mac. In order for this attack to be carried out, a user must first open a malicious Excel file attached to an e-mail or otherwise provided to them by an attacker.

In order to avoid the possibility of being compromised by this vulnerability just do not open attachments from untrusted, unreliable authors. This is a best practice that should be followed daily. If you are already weary about opening attachments from unknown senders then you are on the right track.