Microsoft warns of new Office Web Components vulnerability

Article

Microsoft warns of new Office Web Components vulnerability

Microsoft issued an advisory Monday, warning of a new vulnerability in Office Web Components being actively targeted by attackers.

    Requires Free Membership to View

    Login

    SearchSecurity.com members gain immediate and unlimited access to breaking industry news, virus alerts, new hacker threats, highly focused security newsletters, and more -- all at no cost. Join me on SearchSecurity.com today!

    Michael S. Mimoso, Editorial Director

    By submitting your registration information to SearchSecurity.com you agree to receive email communications from TechTarget and TechTarget partners. We encourage you to read our Privacy Policy which contains important disclosures about how we collect and use your registration and other information. If you reside outside of the United States, by submitting this registration information you consent to having your personal data transferred to and processed in the United States. Your use of SearchSecurity.com is governed by our Terms of Use. You may contact us at webmaster@TechTarget.com.

SearchSecurity.com:
To get security news and tips delivered to your inbox, click here to sign up for our free newsletter.

The Office Web Components allow users to view spreadsheets, charts and databases on the Web. Microsoft said the vulnerability is in the Spreadsheet ActiveX Control, which is used by Internet Explorer (IE) to display the data in the browser. It is remotely exploitable when a person browses with IE and visits a malicious website. If successfully exploited, an attacker could gain the same user rights as the local user and gain complete control of a system, Microsoft said.

"Our investigation has shown that although IE isn't vulnerable, remote code execution is possible and may not require any user intervention when using IE," Dave Forstrom, group manager of the Microsoft Trustworthy Computing group, said in a statement.

Microsoft Patch Tuesday:
Microsoft to address DirectShow, ActiveX zero-day flaws: The software giant said it would issue six updates including three critical, repairing two flaws being actively targeted in the wild.

Microsoft listed a number of products affected by the vulnerability, including Microsoft Office XP Service Pack 3, Microsoft Office 2003 Service Pack 3, Microsoft Office XP Web Components Service Pack 3, Microsoft Office Web Components 2003 Service Pack 3, Microsoft Office 2003 Web Components for the 2007 Microsoft Office system Service Pack 1, Microsoft Internet Security and Acceleration Server 2004 Standard and Enterprise Edition Service Pack 3, Microsoft Internet Security and Acceleration Server 2006, Internet Security and Acceleration Server 2006 Supportability Update, Microsoft Internet Security and Acceleration Server 2006 Service Pack 1, Microsoft Office Small Business Accounting 2006.

The software giant issued an automatic workaround until a patch is released. The workaround prevents the Office Web Components Library from running in IE. A more technical manual workaround involved setting the killbit for the control by adding a value in the registry.

Danish vulnerability clearinghouse, Secunia gave the flaw an extremely critical rating, in the Secunia advisory.

Graham Cluley, senior technology consultant at Sophos Inc., said the latest vulnerability is a case of bad timing for Microsoft.

"Their latest bundle of patches are due to be released tomorrow, meaning they almost certainly won't be able to include a fix for this security hole in this round of fixes," Cluley wrote in his Sophos blog.