Microsoft Office Bug Could Result In Drive-By Downloads
Microsoft patched flaws in Office that could allow attackers to strike users who simply visit malicious Web sites.
Microsoft on Tuesday issued a pair of security bulletins that patched seven vulnerabilities, the bulk of them critical bugs in the Office productivity suite's Word, Excel, Outlook, and PowerPoint applications.
According to analysts, one of the Office flaws may be exploitable by behind-the-scenes "drive-by downloads" if vulnerable users simply surf to sites with Internet Explorer (IE).
"These issues pose a significant risk for computers that have the vulnerable Office suite installed and are used to browse the Internet or process Microsoft Office files," Symantec warned in an advisory issued minutes after Microsoft posted the bulletins.
Dubbed MS06-012, the bulletin involving Office came with a "critical" tag, Microsoft's most dire warning of the four it slaps on security alerts. The bulletin patches a half-dozen remote code execution vulnerabilities -- the worst kind because they can be exploited without local access -- and five of them are in various versions of Excel, the suite's widely-used spreadsheet. Late last year, one of the five had its 15 minutes of fame when it was briefly put up for sale on eBay.
Microsoft Office 2000, Office XP, Office 2003, and Microsoft Works Suites 2000 through 2006 must be patched as soon as possible, said the Redmond, Wash.-based developer. Two editions of the Macintosh version of Office, Office X for Mac and Office 2004 for Mac, are also at risk and should be updated from the Mactopia site.
While the five Excel flaws involve several parsing issues -- and all are deemed "critical" by Microsoft for users of Office 2000, "important" for Office XP and Office 2003 -- the sixth bug looks like the most dangerous, said analysts.
At issue is Office's "Document Routing" feature, which embeds "slips" in Office docs to automatically move files from one user to another. Both Word and PowerPoint have bugs that might let an attacker create files with specially-made slips, then use those to install other malware onto PCs whose users surf to malicious Web sites with IE.
"This one is a huge concern," said Amol Sarwate, the manager of Qualys' vulnerability research lab. "Office users aren't necessarily security savvy," he added, and might not realize that an unpatched suite is at risk simply by visiting the wrong Internet neighborhood.
"There's nothing here that's overwhelmingly 'Oh my goodness,'" countered Mike Murray, director of research at vulnerability management vendor nCircle. "And we're not 100 percent sure that the any of these [vulnerabilities] require no user interaction."
How Enterprises Are Attacking the IT Security EnterpriseTo learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
Infographic: The State of DevOps in 2017Is DevOps helping organizations reduce costs and time-to-market for software releases? What's getting in the way of DevOps adoption? Find out in this InformationWeek and Interop ITX infographic on the state of DevOps in 2017.
Digital Transformation Myths & TruthsTransformation is on every IT organization's to-do list, but effectively transforming IT means a major shift in technology as well as business models and culture. In this IT Trend Report, we examine some of the misconceptions of digital transformation and look at steps you can take to succeed technically and culturally.