Microsoft warns of new Office Web Components vulnerability

By SearchSecurity.com Staff 13 Jul 2009 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

Microsoft issued an advisory Monday, warning of a new vulnerability in Office Web Components being actively targeted by attackers.

SearchSecurity.com: To get security news and tips delivered to your inbox, click here to sign up for our free newsletter.

The Office Web Components allow users to view spreadsheets, charts and databases on the Web. Microsoft said the vulnerability is in the Spreadsheet ActiveX Control, which is used by Internet Explorer (IE) to display the data in the browser. It is remotely exploitable when a person browses with IE and visits a malicious website. If successfully exploited, an attacker could gain the same user rights as the local user and gain complete control of a system, Microsoft said.

"Our investigation has shown that although IE isn't vulnerable, remote code execution is possible and may not require any user intervention when using IE," Dave Forstrom, group manager of the Microsoft Trustworthy Computing group, said in a statement.

Microsoft Patch Tuesday: Microsoft to address DirectShow, ActiveX zero-day flaws: The software giant said it would issue six updates including three critical, repairing two flaws being actively targeted in the wild.

Microsoft listed a number of products affected by the vulnerability, including Microsoft Office XP Service Pack 3, Microsoft Office 2003 Service Pack 3, Microsoft Office XP Web Components Service Pack 3, Microsoft Office Web Components 2003 Service Pack 3, Microsoft Office 2003 Web Components for the 2007 Microsoft Office system Service Pack 1, Microsoft Internet Security and Acceleration Server 2004 Standard and Enterprise Edition Service Pack 3, Microsoft Internet Security and Acceleration Server 2006, Internet Security and Acceleration Server 2006 Supportability Update, Microsoft Internet Security and Acceleration Server 2006 Service Pack 1, Microsoft Office Small Business Accounting 2006.

The software giant issued an automatic workaround until a patch is released. The workaround prevents the Office Web Components Library from running in IE. A more technical manual workaround involved setting the killbit for the control by adding a value in the registry.

Danish vulnerability clearinghouse, Secunia gave the flaw an extremely critical rating, in the Secunia advisory.

Graham Cluley, senior technology consultant at Sophos Inc., said the latest vulnerability is a case of bad timing for Microsoft.

"Their latest bundle of patches are due to be released tomorrow, meaning they almost certainly won't be able to include a fix for this security hole in this round of fixes," Cluley wrote in his Sophos blog.

Tags: Windows Security: Alerts, Updates and Best Practices,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Windows Security: Alerts, Updates and Best Practices Microsoft to fix 26 flaws in Windows, Office Microsoft warns that IE zero-day vulnerability causes data leakage Microsoft issues critical security update, blocks IE 6 attacks Microsoft emergency IE update to block latest corporate attacks Latest zero-day attacks only target IE 6, Microsoft says Hackers used IE zero-day in Google, Adobe attacks, McAfee says Microsoft issues advisory on Internet Explorer zero-day Microsoft releases Windows OpenType Font Engine patch Microsoft to patch single Windows 2000 vulnerability IIS configuration error leads to increased threat, Microsoft says

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary BotHunter  (SearchSecurity.com) principle of least privilege (POLP)  (SearchSecurity.com) security identifier  (SearchSecurity.com) trusted computing  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary