Microsoft warns of new Office Web Components vulnerability

A Spreadsheet ActiveX Control vulnerability in Microsoft Office Web Components is being actively exploited by attackers.

Microsoft issued an advisory Monday, warning of a new vulnerability in Office Web Components being actively targeted by attackers.

SearchSecurity.com:
To get security news and tips delivered to your inbox, click here to sign up for our free newsletter.

The Office Web Components allow users to view spreadsheets, charts and databases on the Web. Microsoft said the vulnerability is in the Spreadsheet ActiveX Control, which is used by Internet Explorer (IE) to display the data in the browser. It is remotely exploitable when a person browses with IE and visits a malicious website. If successfully exploited, an attacker could gain the same user rights as the local user and gain complete control of a system, Microsoft said.

"Our investigation has shown that although IE isn't vulnerable, remote code execution is possible and may not require any user intervention when using IE," Dave Forstrom, group manager of the Microsoft Trustworthy Computing group, said in a statement.

Microsoft Patch Tuesday:
Microsoft to address DirectShow, ActiveX zero-day flaws: The software giant said it would issue six updates including three critical, repairing two flaws being actively targeted in the wild.

Microsoft listed a number of products affected by the vulnerability, including Microsoft Office XP Service Pack 3, Microsoft Office 2003 Service Pack 3, Microsoft Office XP Web Components Service Pack 3, Microsoft Office Web Components 2003 Service Pack 3, Microsoft Office 2003 Web Components for the 2007 Microsoft Office system Service Pack 1, Microsoft Internet Security and Acceleration Server 2004 Standard and Enterprise Edition Service Pack 3, Microsoft Internet Security and Acceleration Server 2006, Internet Security and Acceleration Server 2006 Supportability Update, Microsoft Internet Security and Acceleration Server 2006 Service Pack 1, Microsoft Office Small Business Accounting 2006.

The software giant issued an automatic workaround until a patch is released. The workaround prevents the Office Web Components Library from running in IE. A more technical manual workaround involved setting the killbit for the control by adding a value in the registry.

Danish vulnerability clearinghouse, Secunia gave the flaw an extremely critical rating, in the Secunia advisory.

Graham Cluley, senior technology consultant at Sophos Inc., said the latest vulnerability is a case of bad timing for Microsoft.

"Their latest bundle of patches are due to be released tomorrow, meaning they almost certainly won't be able to include a fix for this security hole in this round of fixes," Cluley wrote in his Sophos blog.

Dig deeper on Windows Security: Alerts, Updates and Best Practices

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close