Microsoft warns of vulnerability in Office Web Component
Microsoft has advised of a critical security vulnerability in an Office Web Component that allows attackers to gain control of a Windows PC. According to Microsoft, the first web pages that attempt to exploit the vulnerability, using specially crafted tables, have already appeared. For an attack to be successful, a victim must first visit a specially crafted malicious page using Internet Explorer – which could even happen inadvertently through page forwarding.
The vulnerable control is a collection of objects for publishing and viewing tables, presentations and databases on the web. Office 2003, Office XP, Internet Security and Acceleration Server 2004 and 2006 as well as Office Small Business Accounting 2006 are all affected. While no update is currently available, Microsoft is reportedly working as quickly as possible to produce one. In the meantime, the software vendor has released a Fix-it tool to disable the vulnerable control in Internet Explorer. It's highly unlikely that Redmond will have an update available by tomorrow's Patch Tuesday.
See also:
- Vulnerability in Microsoft Office Web Components Control Could Allow Remote Code Execution, security advisory from Microsoft.
- Microsoft Security Advisory 973472 Released, a Microsoft Security Response Center blog post.
- Microsoft to release DirectShow patch next Tuesday, a report from The H.
(crve)