Share
'Browse and get owned' is how Microsoft describes it. The software giant has issued a strong warning for users of Excel concerning a new vulnerability being exploited online. The attacks target the Spreadsheet ActiveX Control in Microsoft Office Web Components, resulting in remote code execution and, in some cases, it is believed that no user intervention is required for the attack to be a success.
Flaw in Microsoft Office Web Components could allow remote compromise.(Img:Microsoft)
On the eve of patch Tuesday, Microsoft has issued another Security Advisory on an ActiveX flaw that will compromise a system if exploited. There are confirmed instances of the vulnerability being used in attacks online and, according to Microsoft, the exploitation might not even require user intervention. Microsoft has said it is working on a patch, which will “[be] released once it reaches an appropriate level of quality for broad distribution.”
Two things to note. The first is that this newest vulnerability has a quick fix, and the second is that it does not affect users of Internet Explorer 8 or Office 2007. The problem is that the bulk of Microsoft customers are using versions of software far from current. It isn’t uncommon to see Office 2003 or Internet Explorer 7, as well as older versions of Microsoft Office deployed across a business network. So this makes this new vulnerability disclosure just as important as the one that will be patched on Tuesday.
The vulnerability centers on Microsoft Office Web Components, specifically the Spreadsheet ActiveX control. The Microsoft Office Web Components are a part of a collection of COM controls used to publish spreadsheets, charts, and databases to the Web, and also for viewing the published components online. If a malicious site is viewed, the exploited vulnerability will lead to code execution.
“The last couple of weeks have been interesting for anybody following Microsoft Security. Beyond the DirectShow vulnerability zero-day at the end of May, Microsoft has been forced to acknowledge two other zero-days vulnerabilities. Both are related to ActiveX,” said Wolfgang Kandek, Qualys’ CTO, when The Tech Herald asked for his thoughts on today’s announcement.
“Browsing websites that have exploit code embedded with Internet Explorer is the main attack vector, which will certainly fuel the discussion around the use of alternative browsers. Microsoft has quickly provided easy to use workarounds for both vulnerabilities via their Fixit program, but it is not clear why they have waited for over a year to provide a fix the underlying coding problems which they were notified of in Spring of 2008,” he added.
Related to this newest ActiveX vulnerability is the one reported last week, which is a stack overflow in DirectShow MPEG2TuneRequest -- yet another issue with ActiveX. Microsoft caught flack for admitting that it was well aware of the flaw for quite some time and held off patching it. That ActiveX issue will be addressed in Tuesday’s patch release.
According to Microsoft, XP, Office 2003, ISA 2004 and 2006, as well as Small Business Accounting 2006, are affected by the newest vulnerability. In lieu of an official patch, Microsoft has offered a quick fix and several workarounds.
The Security Advisory, which contains official workarounds, can be found here.
The Quick Fix using the Fixit Tool is here.
Want regular updates from The Tech Herald? Follow us on Twitter.
Interested in a more interactive TTH? Join our Facebook Group.
Interested in a more interactive TTH? Join our Facebook Group Want regular updates from The Tech Herald? Follow us on Twitter
Advertising
Comment on this Story