04:34 PM

Microsoft Office Bug Could Result In Drive-By Downloads

Microsoft patched flaws in Office that could allow attackers to strike users who simply visit malicious Web sites.

Microsoft on Tuesday issued a pair of security bulletins that patched seven vulnerabilities, the bulk of them critical bugs in the Office productivity suite's Word, Excel, Outlook, and PowerPoint applications.

According to analysts, one of the Office flaws may be exploitable by behind-the-scenes "drive-by downloads" if vulnerable users simply surf to sites with Internet Explorer (IE).

"These issues pose a significant risk for computers that have the vulnerable Office suite installed and are used to browse the Internet or process Microsoft Office files," Symantec warned in an advisory issued minutes after Microsoft posted the bulletins.

Dubbed MS06-012, the bulletin involving Office came with a "critical" tag, Microsoft's most dire warning of the four it slaps on security alerts. The bulletin patches a half-dozen remote code execution vulnerabilities -- the worst kind because they can be exploited without local access -- and five of them are in various versions of Excel, the suite's widely-used spreadsheet. Late last year, one of the five had its 15 minutes of fame when it was briefly put up for sale on eBay.

Microsoft Office 2000, Office XP, Office 2003, and Microsoft Works Suites 2000 through 2006 must be patched as soon as possible, said the Redmond, Wash.-based developer. Two editions of the Macintosh version of Office, Office X for Mac and Office 2004 for Mac, are also at risk and should be updated from the Mactopia site.

While the five Excel flaws involve several parsing issues -- and all are deemed "critical" by Microsoft for users of Office 2000, "important" for Office XP and Office 2003 -- the sixth bug looks like the most dangerous, said analysts.

At issue is Office's "Document Routing" feature, which embeds "slips" in Office docs to automatically move files from one user to another. Both Word and PowerPoint have bugs that might let an attacker create files with specially-made slips, then use those to install other malware onto PCs whose users surf to malicious Web sites with IE.

"This one is a huge concern," said Amol Sarwate, the manager of Qualys' vulnerability research lab. "Office users aren't necessarily security savvy," he added, and might not realize that an unpatched suite is at risk simply by visiting the wrong Internet neighborhood.

"There's nothing here that's overwhelmingly 'Oh my goodness,'" countered Mike Murray, director of research at vulnerability management vendor nCircle. "And we're not 100 percent sure that the any of these [vulnerabilities] require no user interaction."

1 of 2
Comment  | 
Print  | 
More Insights
Register for InformationWeek Newsletters
White Papers
Current Issue
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Join us for a roundup of the top stories on for the week of June 21, 2015.
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.