Microsoft confirms another zero-day vulnerability

Just a day before Microsoft will patch a different zero-day flaw, another one pops up

Microsoft confirmed another zero-day vulnerability on Monday in a set of software components that ship in a wide variety of the company's products.

The vulnerability resides in Microsoft's Office Web Components, which are used for publishing spreadsheets, charts and databases to the Web, among other functions. The company is working on a patch but did not indicate when it would be released, according to an advisory.

"Specifically, the vulnerability exists in the Spreadsheet ActiveX control and while we've only seen limited attacks, if exploited successfully, an attacker could gain the same user rights as the local user," wrote Dave Forstrom, a group manager who is part of Microsoft's Security Response Center, in a blog post.

An ActiveX control is a small add-on program that works in a Web browser to facilitate functions such as downloading programs or security updates. Over the years, however, the controls have been prone to vulnerabilities.

The new flaw comes just a day before the company is set to release its monthly patches, including one for another zero-day vulnerability revealed earlier this month.

That problem lies with the Video ActiveX control within Internet Explorer and is currently being used by hackers in drive-by download attempts.

In cases of especially dangerous vulnerabilities, Microsoft has deviated from its patching schedule and issued one out of cycle.

Microsoft said that the flaw could allow an attacker to execute code remotely on a machine if someone using Internet Explorer visits a malicious Web site, a hacking technique known as a drive-by download.

Web sites that host user-provided content or advertisements could be rigged to take advantage of the vulnerability.

"In all cases, however, an attacker would have no way to force users to visit these Web sites," the advisory said.

"Instead, an attacker would have to persuade users to visit the Web site, typically by getting them to click a link in an e-mail message or Instant Messenger message that takes users to the attacker's Web site."

Microsoft issued a list of affected software, which includes Office XP Service Pack 3, 2003 Service Pack 3, several versions of Internet Security and Acceleration Server and Office Small Business Accounting 2006, among others.

Until a patch is ready, Microsoft said one option for administrators is to disable Office Web Components from running in Internet Explorer and has provided instructions.

More about: Messenger, Microsoft
References show all

Comments

Post new comment

The content of this field is kept private and will not be shown publicly.
Users posting comments agree to the Computerworld comments policy.
Login or register to link comments to your user profile, or you may also post a comment without being logged in.
Related Coverage
Related Whitepapers
Latest Stories
Community Comments
Tags: activex, exploits and vulnerabilities, Microsoft, zero day exploit
Whitepapers
All whitepapers
Sign up now to get free exclusive access to reports, research and invitation only events.
Featured Download
/downloads/product/138/driverscanner-2010/

DriverScanner 2010

DriverScanner scans your computer and provides you with a list of drivers that need to be updated. All you have to do, then, is simply ...

Computerworld newsletter

Join the most dedicated community for IT managers, leaders and professionals in Australia