Microsoft issued an advisory Monday, warning of a new vulnerability in Office Web Components being actively targeted by attackers.
The Office Web Components allow users to view spreadsheets, charts and databases on the Web. Microsoft said the vulnerability is in the Spreadsheet ActiveX Control, which is used by Internet Explorer (IE) to display the data in the browser. It is remotely exploitable when a person browses with IE and visits a malicious website. If successfully exploited, an attacker could gain the same user rights as the local user and gain complete control of a system, Microsoft said.
"Our investigation has shown that although IE isn't vulnerable, remote code execution is possible and may not require any user intervention when using IE," Dave Forstrom, group manager of the Microsoft Trustworthy Computing group, said in a statement.
Microsoft listed a number of products affected by the vulnerability, including Microsoft Office XP Service Pack 3, Microsoft Office 2003 Service Pack 3, Microsoft Office XP Web Components Service Pack 3, Microsoft Office Web Components 2003 Service Pack 3, Microsoft Office 2003 Web Components for the 2007 Microsoft Office system Service Pack 1, Microsoft Internet Security and Acceleration Server 2004 Standard and Enterprise Edition Service Pack 3, Microsoft Internet Security and Acceleration Server 2006, Internet Security and Acceleration Server 2006 Supportability Update, Microsoft Internet Security and Acceleration Server 2006 Service Pack 1, Microsoft Office Small Business Accounting 2006.
The software giant issued an automatic workaround until a patch is released. The workaround prevents the Office Web Components Library from running in IE. A more technical manual workaround involved setting the killbit for the control by adding a value in the registry.
Danish vulnerability clearinghouse, Secunia gave the flaw an extremely critical rating, in the Secunia advisory.
Graham Cluley, senior technology consultant at Sophos Inc., said the latest vulnerability is a case of bad timing for Microsoft.
"Their latest bundle of patches are due to be released tomorrow, meaning they almost certainly won't be able to include a fix for this security hole in this round of fixes," Cluley wrote in his Sophos blog.