Second unpatched hole in Office 2007
The security services provider eEye claims to have informed Microsoft about a critical security flaw in Publisher, a component of Office 2007, as early as February 16, 2007. So far, however, neither the company from Redmond nor eEye have released details of the problem. What is certain, though, is that code can be injected via the hole into a Windows PC and there be executed with the rights of a user logged-in to the system. In all likelihood, for this to happen, the victim will have to open a manipulated document that has found its way onto his or her computer via an attachment, say, or by way of a download from a web page. Any search on the Web for suitable layout templates for one's own documents is likely to boost the probability of the latter scenario in particular.
Whether or not the hole is at present being actively exploited is as yet unknown, however. A flaw in Word under Office 2000 XP, 2003 and 2007 discovered in the middle of February is already being actively exploited. Thus some four weeks after the publication of Office 2007 two unpatched holes have already been found. Work on a patch for the flaw in Word is already underway; the patch in question is not yet available, however.
In addition critics have pointed out that Office 2007 sends data without the user's knowledge to a market research institute. Microsoft for its part has claimed that the data sent do not include personal data and that users' systems are not being spied upon.
- Upcoming Advisories EEYEB-20070216, flaw report from eEye