Microsoft Office Bug Could Result In Drive-By Downloads
Microsoft patched flaws in Office that could allow attackers to strike users who simply visit malicious Web sites.
Microsoft on Tuesday issued a pair of security bulletins that patched seven vulnerabilities, the bulk of them critical bugs in the Office productivity suite's Word, Excel, Outlook, and PowerPoint applications.
According to analysts, one of the Office flaws may be exploitable by behind-the-scenes "drive-by downloads" if vulnerable users simply surf to sites with Internet Explorer (IE).
"These issues pose a significant risk for computers that have the vulnerable Office suite installed and are used to browse the Internet or process Microsoft Office files," Symantec warned in an advisory issued minutes after Microsoft posted the bulletins.
Dubbed MS06-012, the bulletin involving Office came with a "critical" tag, Microsoft's most dire warning of the four it slaps on security alerts. The bulletin patches a half-dozen remote code execution vulnerabilities -- the worst kind because they can be exploited without local access -- and five of them are in various versions of Excel, the suite's widely-used spreadsheet. Late last year, one of the five had its 15 minutes of fame when it was briefly put up for sale on eBay.
Microsoft Office 2000, Office XP, Office 2003, and Microsoft Works Suites 2000 through 2006 must be patched as soon as possible, said the Redmond, Wash.-based developer. Two editions of the Macintosh version of Office, Office X for Mac and Office 2004 for Mac, are also at risk and should be updated from the Mactopia site.
While the five Excel flaws involve several parsing issues -- and all are deemed "critical" by Microsoft for users of Office 2000, "important" for Office XP and Office 2003 -- the sixth bug looks like the most dangerous, said analysts.
At issue is Office's "Document Routing" feature, which embeds "slips" in Office docs to automatically move files from one user to another. Both Word and PowerPoint have bugs that might let an attacker create files with specially-made slips, then use those to install other malware onto PCs whose users surf to malicious Web sites with IE.
"This one is a huge concern," said Amol Sarwate, the manager of Qualys' vulnerability research lab. "Office users aren't necessarily security savvy," he added, and might not realize that an unpatched suite is at risk simply by visiting the wrong Internet neighborhood.
"There's nothing here that's overwhelmingly 'Oh my goodness,'" countered Mike Murray, director of research at vulnerability management vendor nCircle. "And we're not 100 percent sure that the any of these [vulnerabilities] require no user interaction."
We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
2017 State of IT ReportIn today's technology-driven world, "innovation" has become a basic expectation. IT leaders are tasked with making technical magic, improving customer experience, and boosting the bottom line -- yet often without any increase to the IT budget. How are organizations striking the balance between new initiatives and cost control? Download our report to learn about the biggest challenges and how savvy IT executives are overcoming them.
Infographic: The State of DevOps in 2017Is DevOps helping organizations reduce costs and time-to-market for software releases? What's getting in the way of DevOps adoption? Find out in this InformationWeek and Interop ITX infographic on the state of DevOps in 2017.