Microsoft plugs critical Office holes

Microsoft warned of three vulnerabilities in software that allow users to view and edit Office documents in a Web browser. The most serious flaw, rated "critical," could give an attacker full control over a user's PC.

All three vulnerabilities exist in the spreadsheet component of Office Web Components (OWC), software that provides limited Office functionality in a Web browser without the need for Office to be installed, Microsoft said Wednesday in a security bulletin announcing a fix for the flaws.

OWC is shipped with various Microsoft products, including Office, and is also available as a separate download.

Microsoft's severity rating for standard computers is "critical," while the vulnerabilities present only a "moderate" risk to Internet and Intranet servers, the Redmond, Washington, company said.

The most serious vulnerability lies in the "Host()" function of the spreadsheet OWC component. An attacker could take any action on a PC that the user could by sending a specially-crafted HTML (Hypertext Markup Language) e-mail or luring the user to a Web site containing the special HTML page, Microsoft said.

The other two vulnerabilities lie in the "LoadText()" and "Copy()/Paste()" methods of OWC. These expose files and the clipboard contents on a user's system. To read files, an attacker would have to know the location of the files and the files have to be readable through a Web browser, limiting the scope of the vulnerability, Microsoft said.

That's incorrect, according to security experts at GreyMagic Software, who say they first reported the three vulnerabilities to Microsoft almost five months ago. The "LoadText()" flaw allows an attacker to read any file, they said in an e-mail to the IDG News Service. Microsoft, also informed by GreyMagic, issued a revised security bulletin late Thursday, correcting its first bulletin on this point.

Also, GreyMagic criticized Microsoft for not permanently disabling the associated ActiveX control. ActiveX controls are single purpose computer programs. The so-called "Kill Bit" is not set on the control, which means an attacker could remotely reinstall the vulnerable control. Microsoft acknowledges this, but contends it would be hard to reinstall the vulnerable control without the user noticing because the OWC package is 7MB in size.

GreyMagic disagrees, stating that "unlike MS claims, it's not that easy to notice the ActiveX control when it installs itself. An attacker can open an off-screen window that will silently install OWC without the user knowing."

"This is a fundamental problem in the patch and it renders it quite useless," GreyMagic said.

An attacker could reinstall the vulnerable OWC ActiveX control on a user's system by sending an HTML (Hypertest Markup Language) e-mail message or luring the user to a specially crafted Web page, Microsoft said in its bulletin.

Thor Larholm, a security researcher at PivX Solutions LLC, said Microsoft took its time to plug the OWC holes and said the vulnerable ActiveX control should have been disabled.

"This one sure took a long time to patch, despite the public awareness that was raised," he said. "Microsoft forgot to set the 'Kill Bit' on the component, so a malicious programmer can reinstall the old and vulnerable OWC automatically when a user visits his Web page."

Microsoft in its bulletin said it can't set the Kill Bit because Office and other applications used to write Web pages refer to the ActiveX control in question. If the Kill Bit were set, many Web pages would no longer function, according to Microsoft. The company is working on a new technique to set the Kill Bit without forcing users to redo the Web pages calling the ActiveX control.

Affected are OWC 2000 and OWC 2002. This software is shipped with Microsoft's BackOffice Server 2000, BizTalk Server 2000, BizTalk Server 2002, Commerce Server 2000, Commerce Server 2002, Internet Security and Acceleration Server 2000, Money 2002, Money 2003, Office 2000, Office XP, Project 2002, Project Server 2002 and Small Business Server 2000, according to Microsoft.

Patches to eliminate the vulnerabilities are available. Microsoft advises Office XP users to install Office XP Service Pack 2 instead of the general patch. Users can also download and install the updated OWC software from Microsoft's Web site instead of patching. OWC is about 7 megabytes in size.

More information can be found in Microsoft's security bulletin MS-02-044 at:http://www.microsoft.com/technet/security/bulletin/MS02-044.asp

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Joris Evers

Computerworld
Show Comments

Cool Tech

Toys for Boys

Family Friendly

Stocking Stuffer

Logitech Ultimate Ears Wonderboom Bluetooth Speaker

Learn more >

SmartLens - Clip on Phone Camera Lens Set of 3

Learn more >

Christmas Gift Guide

Click for more ›

Brand Post

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Maryellen Rose George

Brother PT-P750W

It’s useful for office tasks as well as pragmatic labelling of equipment and storage – just don’t get too excited and label everything in sight!

Cathy Giles

Brother MFC-L8900CDW

The Brother MFC-L8900CDW is an absolute stand out. I struggle to fault it.

Luke Hill

MSI GT75 TITAN

I need power and lots of it. As a Front End Web developer anything less just won’t cut it which is why the MSI GT75 is an outstanding laptop for me. It’s a sleek and futuristic looking, high quality, beast that has a touch of sci-fi flare about it.

Emily Tyson

MSI GE63 Raider

If you’re looking to invest in your next work horse laptop for work or home use, you can’t go wrong with the MSI GE63.

Laura Johnston

MSI GS65 Stealth Thin

If you can afford the price tag, it is well worth the money. It out performs any other laptop I have tried for gaming, and the transportable design and incredible display also make it ideal for work.

Andrew Teoh

Brother MFC-L9570CDW Multifunction Printer

Touch screen visibility and operation was great and easy to navigate. Each menu and sub-menu was in an understandable order and category

Featured Content

Product Launch Showcase

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?