Search related threads. Remove From My Forums. Asked by:. Archived Forums. Excel IT Pro Discussions. For information about automatic updating in supported editions of Windows Vista, Windows Server , Windows 7, and Windows Server R2, see Understanding Windows automatic updating. For administrators and enterprise installations, or end users who want to install this security update manually, Microsoft recommends that customers apply the update at the earliest opportunity using update management software, or by checking for updates using the Microsoft Update service.
See also the section, Detection and Deployment Tools and Guidance , later in this bulletin. The following software have been tested to determine which versions or editions are affected. Other versions or editions are either past their support life cycle or are not affected. To determine the support life cycle for your software version or edition, visit Microsoft Support Lifecycle.
Where are the file information details? Refer to the reference tables in the Security Update Deployment section for the location of the file information details. How is this security update related to MS? The security update packages for Microsoft Office for Mac KB and Microsoft Office for Mac KB offered in this bulletin also address the vulnerabilities described in the MS security bulletin.
Why is this update only rated Important for all affected versions of Excel? Microsoft Excel and later versions have a built-in feature that prompts a user to Open, Save, or Cancel before opening a document.
This mitigating factor reduces the vulnerabilities from Critical to Important because the vulnerabilities require more than a single user action to complete the exploit.
The attack vector for the vulnerability is through Microsoft Excel. Why is this a Microsoft Office update? Although the attack vector for the vulnerabilities described in this bulletin is only through affected versions of Microsoft Excel, the vulnerable code is contained in a shared component of Microsoft Office.
Other Microsoft Office software, including some supported releases of Microsoft Access, Microsoft Word, and Microsoft PowerPoint contain the vulnerable shared component of Microsoft Office, but because they do not access the vulnerable code, they are not affected by this vulnerability.
However, since the vulnerable code is present, this update will be offered. Why does this update address several reported security vulnerabilities? This update contains support for several vulnerabilities because the modifications that are required to address these issues are located in related files.
Instead of having to install several updates that are almost the same, customers need to install this update only. The updates required to address the vulnerabilities described in this bulletin are offered across different package updates as indicated in the Affected Software table due to the componentized servicing model for Microsoft Office and Microsoft Office To be protected from the vulnerabilities, both updates are required, but they do not need to be installed in a particular order.
What components of the Microsoft Office Compatibility Pack are updated by this bulletin? The update included with this security bulletin applies only to the Microsoft Excel component within the Microsoft Office Compatibility Pack. How areMicrosoft Office standalone programs affected by the vulnerabilities? A Microsoft Office standalone program is affected with the same severity rating as the corresponding component in a Microsoft Office Suite.
For example, a standalone installation of Microsoft Excel is affected with the same severity rating as an installation of Microsoft Excel that was delivered with a Microsoft Office Suite. The Microsoft Office component discussed in this article is part of the Microsoft Office Suite that I have installed on my system; however, I did not choose to install this specific component. Will I be offered this update? Yes, if the component discussed in this bulletin was delivered with the version of the Microsoft Office Suite installed on your system, the system will be offered updates for it whether the component is installed or not.
The detection logic used to scan for affected systems is designed to check for updates for all components that were delivered with the particular Microsoft Office Suite and to offer the updates to a system. Users who choose not to apply an update for a component that is not installed, but is delivered with their version of the Microsoft Office Suite, will not increase the security risk of that system.
On the other hand, users who do choose to install the update will not have a negative impact on the security or performance of a system. Does the offer to update a non-vulnerable version of Microsoft Office constitute an issue in the Microsoft update mechanism? No, the update mechanism is functioning correctly in that it detects a lower version of the files on the system than in the update package and thus, offers the update.
I am using an older release of the software discussed in this security bulletin. What should I do? The affected software listed in this bulletin have been tested to determine which releases are affected. Other releases are past their support life cycle.
For more information about the product lifecycle, visit the Microsoft Support Lifecycle website. It should be a priority for customers who have older releases of the software to migrate to supported releases to prevent potential exposure to vulnerabilities. To determine the support lifecycle for your software release, see Select a Product for Lifecycle Information.
For more information about service packs for these software releases, see Service Pack Lifecycle Support Policy. Customers who require custom support for older software must contact their Microsoft account team representative, their Technical Account Manager, or the appropriate Microsoft partner representative for custom support options.
Customers without an Alliance, Premier, or Authorized Contract can contact their local Microsoft sales office. For contact information, visit the Microsoft Worldwide Information website, select the country in the Contact Information list, and then click Go to see a list of telephone numbers. When you call, ask to speak with the local Premier Support sales manager. The following severity ratings assume the potential maximum impact of the vulnerability.
For information regarding the likelihood, within 30 days of this security bulletin's release, of the exploitability of the vulnerability in relation to its severity rating and security impact, please see the Exploitability Index in the May bulletin summary. The update included with this security bulletin applies only to the specific component within the Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint File Formats that is affected.
For example, in an Excel bulletin, only the Excel compatibility pack component files are included in the update packages and not Word or PowerPoint compatibility pack component files. Word compatibility pack component files are updated in a Word bulletin and PowerPoint compatibility pack component files are updated in a PowerPoint bulletin. What is the Microsoft Office Excel Viewer?
With Excel Viewer, you can open, view, and print Excel workbooks, even if you don't have Excel installed. You can also copy data from Excel Viewer to another program.
However, you cannot edit data, save a workbook, or create a new workbook. Are any additional security features included in this update? Yes, as part of the servicing model for the Microsoft Office System, when users of Microsoft Office Service Pack 1 install this update, their systems will be upgraded to security functionality that was initially released with Microsoft Office Service Pack 2.
All updates released after April 24, for Microsoft Office will include these security features, which were introduced in the Microsoft Office System Service Pack 2. We have thoroughly tested this update, but as with all updates, we recommend that users perform testing appropriate to the environment and configuration of their systems. The Office component discussed in this article is part of the Office Suite that I have installed on my system; however, I did not choose to install this specific component.
Will I be offered this update? Yes, if the version of the Office Suite installed on your system was delivered with the component discussed in this bulletin, the system will be offered updates for it whether the component is installed or not. The detection logic used to scan for affected systems is designed to check for updates for all components that shipped with the particular Office Suite and offer the updates to a system.
Users who choose not to apply an update for a component that is not installed, but is included in their version of the Office Suite, will not increase the security risk of that system. On the other hand, users who do choose to install the update will not have a negative impact on the security or performance of a system. Does the offer to update a non-vulnerable version of Microsoft Office constitute an issue in the Microsoft update mechanism?
No, the update mechanism is functioning correctly in that it detects a lower version of the files on the system than in the update package and thus, offers the update. Why is this update only Important for all affected versions of Excel? Microsoft Office Excel and later versions have a built-in feature that prompts a user to Open, Save, or Cancel before opening a document. This mitigating factor reduces the vulnerability from Critical to Important because the vulnerability requires more than a single user action to complete the exploit.
I am using an older release of the software discussed in this security bulletin. What should I do? The affected software listed in this bulletin have been tested to determine which releases are affected.
Other releases are past their support life cycle. For more information about the product lifecycle, visit the Microsoft Support Lifecycle Web site. It should be a priority for customers who have older releases of the software to migrate to supported releases to prevent potential exposure to vulnerabilities.
To determine the support lifecycle for your software release, see Select a Product for Lifecycle Information. For more information about service packs for these software releases, see Lifecycle Supported Service Packs.
Customers who require custom support for older software must contact their Microsoft account team representative, their Technical Account Manager, or the appropriate Microsoft partner representative for custom support options. Customers without an Alliance, Premier, or Authorized Contract can contact their local Microsoft sales office. For contact information, visit the Microsoft Worldwide Information Web site, select the country in the Contact Information list, and then click Go to see a list of telephone numbers.
When you call, ask to speak with the local Premier Support sales manager. The following severity ratings assume the potential maximum impact of the vulnerability. For information regarding the likelihood, within 30 days of this security bulletin's release, of the exploitability of the vulnerability in relation to its severity rating and security impact, please see the Exploitability Index in the June bulletin summary.
For more information, see Microsoft Exploitability Index. A remote code execution vulnerability exists in the way that Microsoft Office Excel handles specially crafted Excel files. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Ask a question.
Quick access. Search related threads. Remove From My Forums. Asked by:. Archived Forums. Excel IT Pro Discussions. This forum is for general questions and feedback related to Microsoft Excel all versions as they pertain to the IT Pro community.
0コメント