Microsoft's security updates Tuesday will probably include a fix for a vulnerability in Excel that has been exploited by attackers for several weeks, a researcher said today. But he told users not to expect a fix for another bug that the company acknowledged more than two months ago.

According to the prepatch notice Microsoft issued last week, three of the 12 security updates will address critical flaws in Microsoft Office. However, none cited Excel, the suite's spreadsheet application, and the notice instead referred to bugs in Publisher and Word, plus a generic third flaw in Office 2000, Office XP and Office 2003.

About a month ago, Microsoft posted a security advisory confirming that attacks against Excel were in progress. Then, the company recommended that Office 2003 users run suspect Excel files through MOICE (Microsoft Office Isolated Conversion Environment), a free conversion tool released last year that converts Office 2003 format documents into the more secure Office 2007 formats to strip out possible exploit code. It also told users to think about using File Block, a last-ditch defense that lets administrators block select Office file types.

Andrew Storms, director of security operations at nCircle Network Security, noted that the Office updates account for a third of Tuesday's patches. "For Microsoft not to address the single publicly-debated vulnerability in Excel would be a big misstep," he said. "Some debate that the Excel bug isn't a big threat, and even Microsoft seemed to downplay its risk with its carefully chosen wording in the security advisory.

"Let's hope they fix it tomorrow," Storms added.

Another long-known vulnerability in Windows, however, probably won't make the final list, Storms said. "The WPAD issue, which was published on Dec. 3 in a security [advisory] from Microsoft, has continued to confuse the industry," he noted. "[But] based on the information in the advanced notification matrix, I'm not seeing one that seems fit nicely into a potential WPAD fix."

More than two months ago, Microsoft acknowledged a bug in how Windows looks up other computers on the Internet. The vulnerability was dubbed Web Proxy Auto-Discovery (WPAD), but it is actually a flaw in the way Windows looks up Domain Name System information. The problem was originally patched in 1999, but it resurfaced in November when a researcher pointed out that it had crept back into later versions of Windows.

For more enterprise computing news, visit Computerworld. Story copyright Computerworld, Inc.