Microsoft investigates new Office zero-day flaw

By Bill Brenner, Senior News Writer 23 May 2007 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

Microsoft Corp. confirmed Wednesday that it is looking into reports of a new Office zero-day flaw attackers could exploit to cause a denial of service or run malicious code on targeted Windows machines.

Cupertino, Calif.-based antivirus giant Symantec Corp. released an email advisory on the flaw to customers of its DeepSight threat management system early Wednesday afternoon. A couple hours later, a Microsoft spokesperson confirmed the company is investigating the report. At issue is a buffer overflow flaw in Office 2000's UA ActiveX control. Because of the flaw, the application fails to properly check user-supplied data before copying it into a poorly-sized buffer, Symantec said.

"This issue occurs when an excessive amount of data is passed to the 'HelpPopup' method of the 'OUACTRL.OCX' ActiveX control," Symantec said. "Successfully exploiting this issue allows remote attackers to execute arbitrary code in the context of the application using the ActiveX control (typically Internet Explorer). Failed exploit attempts likely result in denial-of-service conditions."

Symantec said the flaw was discovered by a researcher named Shinnai, who has posted exploit code. To successfully exploit the flaw, an attacker must trick an unsuspecting user into accessing a malicious Web page.

The Microsoft spokesperson said Microsoft is not aware of any attacks attempting to use the flaw, but that it will continue to investigate the issue.

"Upon completion of this investigation, Microsoft will take the appropriate action to protect our customers, which may include issuing a security advisory or providing a security update through our monthly release process, depending on customer needs," she added.

For now, Symantec recommends users mitigate the threat by disabling ActiveX scripting in Internet Explorer, or set the kill bit on CLSID:8936033C-4A50-11D1-98A4-00A0C90F27C6.

Tags: Securing Productivity Applications,  Security Patch Management,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Securing Productivity Applications How to detect software tampering Adobe fixes 29 flaws in Acrobat, Reader Adobe warns of critical update for Reader, Acrobat 9.1.3 Why should we place data files on a separate partition than the OS? Adobe updates ColdFusion, JRun, Flex Serious Adobe Flash flaw being exploited Adobe acknowledges serious Flash zero-day vulnerability Adobe issues security advisory for Flash zero-day flaw When to use the service features of the Metasploit hacking tool How to manage patches for Adobe Security Patch Management Squad: Tokenization, Phishing and the Feds Should management processes change based on a patch release schedule? Should Windows Mobile updates come from Microsoft? Adobe updates ColdFusion, JRun, Flex Trusteer CEO criticizes Adobe, touts better patch deployments Patch management study shows IT taking significant risks Vulnerability mitigation study shows need for faster patching Microsoft to issue security report card, new tool at Black Hat How to manage patches for Adobe When is it suitable to remove Java updates?

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary sheepdip  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary