Monday, July 13, 2009

Microsoft Office Web Components Vulnerability

So you system admins out there thought you would get a vacation this summer? Not if Microsoft has anything to say about it!

Redmond has released Microsoft Security Advisory 973472 regarding a quirky vulnerability in Microsoft Office Web Components. The flaw seems to be in the Spreadsheet ActiveX control, and if successfully exploited, the attacker could end up with the same rights as the local user.

Damn you, ActiveX! Damn you to hell!

While Microsoft reports that exploits appear to be minimal and targeted, several antivirus vendors are seeing websites, mostly in China, dishing up the exploit as part of a pre-canned kit that downloads and runs a Windows executable. One vendor, Sophos, calls it "Mal/Generic-A."

A number of products are affected, including (but not limited to) Office XP & 2003, ISA Server 2004 and 2006, and Office Small Business Accounting 2006. For the full listing, check out the advisory.

As usual, Microsoft has a workaround that deals with setting killbits, but make sure you know what this might break prior to implementing, especially if you do a lot of displaying and/or publishing of charts and spreadsheets to the web.


No comments:

Post a Comment

Please tell me what you think.