Article

Microsoft warns of new Office Web Components vulnerability

SearchSecurity.com Staff

Microsoft issued an advisory Monday, warning of a new vulnerability in Office Web Components being actively targeted by attackers.

    Requires Free Membership to View

SearchSecurity.com:
To get security news and tips delivered to your inbox, click here to sign up for our free newsletter.

The Office Web Components allow users to view spreadsheets, charts and databases on the Web. Microsoft said the vulnerability is in the Spreadsheet ActiveX Control, which is used by Internet Explorer (IE) to display the data in the browser. It is remotely exploitable when a person browses with IE and visits a malicious website. If successfully exploited, an attacker could gain the same user rights as the local user and gain complete control of a system, Microsoft said.

"Our investigation has shown that although IE isn't vulnerable, remote code execution is possible and may not require any user intervention when using IE," Dave Forstrom, group manager of the Microsoft Trustworthy Computing group, said in a statement.

Microsoft Patch Tuesday:
Microsoft to address DirectShow, ActiveX zero-day flaws: The software giant said it would issue six updates including three critical, repairing two flaws being actively targeted in the wild.

Microsoft listed a number of products affected by the vulnerability, including Microsoft Office XP Service Pack 3, Microsoft Office 2003 Service Pack 3, Microsoft Office XP Web Components Service Pack 3, Microsoft Office Web Components 2003 Service Pack 3, Microsoft Office 2003 Web Components for the 2007 Microsoft Office system Service Pack 1, Microsoft Internet Security and Acceleration Server 2004 Standard and Enterprise Edition Service Pack 3, Microsoft Internet Security and Acceleration Server 2006, Internet Security and Acceleration Server 2006 Supportability Update, Microsoft Internet Security and Acceleration Server 2006 Service Pack 1, Microsoft Office Small Business Accounting 2006.

The software giant issued an automatic workaround until a patch is released. The workaround prevents the Office Web Components Library from running in IE. A more technical manual workaround involved setting the killbit for the control by adding a value in the registry.

Danish vulnerability clearinghouse, Secunia gave the flaw an extremely critical rating, in the Secunia advisory.

Graham Cluley, senior technology consultant at Sophos Inc., said the latest vulnerability is a case of bad timing for Microsoft.

"Their latest bundle of patches are due to be released tomorrow, meaning they almost certainly won't be able to include a fix for this security hole in this round of fixes," Cluley wrote in his Sophos blog.


There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: