Office Web Components vulnerability flaps in the breeze
Tomorrow, Microsoft has a Patch Tuesday collection slated to include a fix for a hole known to Microsoft and outside security researchers for nearly a year and a half. Today, Redmond's got another, newly revealed, major flaw to contend with.
The vulnerability in Office Web Components' ActiveX implementation, versions 10 and 11, is currently known to be under attack, according to a post by Fermin J. Serna of Microsoft Security Response Center's Engineering team. If a user running Internet Explorer goes to a malicious Web site that hosts the exploit, the attacker could gain whatever rights the user has (translation: owned) and execute malicious code in the usual fashion.
Neither version 10 nor 11 is part of the default install for anyone's setup. But those who have installed Office XP SP3, Office 2003 SP3, Office XP Web Components SP3, Office 2003 Web Components SP3, Office 2003 Web Components for the 2007 Microsoft Office System SP1, Internet Security and Acceleration Server 2004 Standard Edition SP3, Internet Security and Acceleration Server 2004 Enterprise Edition SP3, Internet Security and Acceleration Server 2006, Internet Security and Acceleration Server 2006, Internet Security and Acceleration Server 2006 Supportability Update, Internet Security and Acceleration Server 2006 SP1, or Office Small Business Accounting 2006 may be vulnerable. (The Serna post offers directions for figuring out if your machine is in danger.)
MS Security Advisory 973472, the official TechNet epistle, has the overview, but the associated KnowledgeBase article has something quicker: A one-click workaround that will stave off disaster until the patch is ready.
Disaster, seriously? Well, as mentioned the vulnerability is attracting 0-day attacks; according to a post by Vanja Svajcer of Sophos, that anti-malware company is already hearing of sites in China that exploit the hole as part of a larger exploit kit. Sophos's analysis rates the vuln as "critical," while Secunia gives it an "extremely critical" label.
The vulnerability lies in a spreadsheet ActiveX control. The Office Web Components allow users to see spreadsheets (or databases or charts) over the Web. The architecture of the new Web applications being built for Office 2010 will render it completely unaffected by this exploit, because they will not use the same ActiveX controls.
In terms of clear and present danger, however, that's really neither here nor there: Experts agree that if you're on a currently vulnerable installation, using the workaround and patching as soon as a patch is available are priority projects for your afternoon.