Microsoft Office Bug Could Result In Drive-By Downloads
Microsoft patched flaws in Office that could allow attackers to strike users who simply visit malicious Web sites.
Microsoft on Tuesday issued a pair of security bulletins that patched seven vulnerabilities, the bulk of them critical bugs in the Office productivity suite's Word, Excel, Outlook, and PowerPoint applications.
According to analysts, one of the Office flaws may be exploitable by behind-the-scenes "drive-by downloads" if vulnerable users simply surf to sites with Internet Explorer (IE).
"These issues pose a significant risk for computers that have the vulnerable Office suite installed and are used to browse the Internet or process Microsoft Office files," Symantec warned in an advisory issued minutes after Microsoft posted the bulletins.
Dubbed MS06-012, the bulletin involving Office came with a "critical" tag, Microsoft's most dire warning of the four it slaps on security alerts. The bulletin patches a half-dozen remote code execution vulnerabilities -- the worst kind because they can be exploited without local access -- and five of them are in various versions of Excel, the suite's widely-used spreadsheet. Late last year, one of the five had its 15 minutes of fame when it was briefly put up for sale on eBay.
Microsoft Office 2000, Office XP, Office 2003, and Microsoft Works Suites 2000 through 2006 must be patched as soon as possible, said the Redmond, Wash.-based developer. Two editions of the Macintosh version of Office, Office X for Mac and Office 2004 for Mac, are also at risk and should be updated from the Mactopia site.
While the five Excel flaws involve several parsing issues -- and all are deemed "critical" by Microsoft for users of Office 2000, "important" for Office XP and Office 2003 -- the sixth bug looks like the most dangerous, said analysts.
At issue is Office's "Document Routing" feature, which embeds "slips" in Office docs to automatically move files from one user to another. Both Word and PowerPoint have bugs that might let an attacker create files with specially-made slips, then use those to install other malware onto PCs whose users surf to malicious Web sites with IE.
"This one is a huge concern," said Amol Sarwate, the manager of Qualys' vulnerability research lab. "Office users aren't necessarily security savvy," he added, and might not realize that an unpatched suite is at risk simply by visiting the wrong Internet neighborhood.
"There's nothing here that's overwhelmingly 'Oh my goodness,'" countered Mike Murray, director of research at vulnerability management vendor nCircle. "And we're not 100 percent sure that the any of these [vulnerabilities] require no user interaction."
5 Top Federal Initiatives For 2015As InformationWeek Government readers were busy firming up their fiscal year 2015 budgets, we asked them to rate more than 30 IT initiatives in terms of importance and current leadership focus. No surprise, among more than 30 options, security is No. 1. After that, things get less predictable.