Researchers spot first remote code Office 2007 bug

First Office 2007 remote code vulnerability reported

EEye Digital Security said it's found the first Office 2007 remote code vulnerability and has alerted Microsoft's bug team.

The terse warning posted to eEye's Upcoming Advisories site tags Publisher 2007, the desktop and Web publishing program included with some editions of Office, as the flawed application. "A remotely exploitable flaw exists within Publisher 2007 that allows arbitrary code to be executed in the context of the logged in user," the alert read. eEye rated the vulnerability as "high," and reported it to Microsoft a week ago.

"We're still in the back-and-forth with Microsoft [Security Response Center]," said Marc Maiffret, eEye's chief technology officer.

Microsoft confirmed it is working with eEye. "Microsoft is investigating new reports of a possible vulnerability in Publisher 2007, which has been responsibly disclosed to Microsoft [and] will continue to work with eEye to further understand this report," said a Microsoft spokesperson. "[We are] not aware of any attacks attempting to use the reported vulnerability or of customer impact at this time."

Although Maiffret declined to provide details of the vulnerability, he tacitly acknowledged that it was a bug in the Publisher 2007 file format. "Ninety percent of the time, [Office] bugs are in file formats. This is basically the same."

Users of Microsoft's Office productivity suites -- going as far back as Office 2000 and including the more recent Office 2003 -- have confronted a flood of flaws in the last 14 months. During 2006, Microsoft unveiled 13 security updates for Office 2000 and 11 for Office 2003; in the first two months of 2007, it's rolled out four bulletins for Office 2000 and six for Office 2003.

"Microsoft's been talking up Office 2007 as one of the first products that went through the Security Development Lifecycle, and telling everyone how great it would be," said Maiffret. "That's interesting, but this [vulnerability] shows that there still are going to be problems.

"With both Vista and Office 2007, it doesn't seem like Microsoft is really talking about compelling functionality. Instead, they're talking about security," Maiffret said. "That's crazy. The software should already have been secure."

Among the other outstanding alerts listed by eEye is one that affects Windows Vista -- and no other Microsoft operating system -- which was reported to the developer Jan. 19.

More about: eEye Digital Security, Microsoft

Comments

Post new comment

The content of this field is kept private and will not be shown publicly.
Users posting comments agree to the Computerworld comments policy.
Login or register to link comments to your user profile, or you may also post a comment without being logged in.
Related Whitepapers
Latest Stories
Community Comments
Whitepapers
All whitepapers
Sign up now to get free exclusive access to reports, research and invitation only events.
Featured Download
/downloads/product/20/adawarefree/

Lavasoft Ad-Aware Free

Ad-Aware Free has long been one of the most popular spyware killers on the planet, and with good reason. It's simple to use, does an ...

Computerworld newsletter

Join the most dedicated community for IT managers, leaders and professionals in Australia