On Monday, a set of software components that are shipped in a large variety of Microsoft products have been confirmed to have zero-day vulnerability. The vulnerability rests in Microsoft's Office Web Components, which are used to publish things like databases, charts and spreadsheets on the web. The good news is that Microsoft is currently working on a patch but have yet to comment on when it will be released.
Dave Forstrom, who is a group manager and part of Microsoft's Security Response Center, said in a blog post earlier "Specifically, the vulnerability exists in the Spreadsheet ActiveX control and while we've only seen limited attacks, if exploited successfully, an attacker could gain the same user rights as the local user."
The ActiveX control is just a small add-on program which works in your web browser. It facilitates functions like downloading things like security updates or programs. But it has been seen over the years that the controls have become prone to vulnerabilities. The new flaw in the system happened the day before Microsoft was going to release it's monthly patches which included another patch for zero-day vulnerability. That problem had to do with the Video ActiveX control found within Internet Explorer. Hackers are currently attempting to use this in drive-by download attempts.
Microsoft, who has set patching schedule, has strayed off and issued a patch out of cycle for cases of especially dangerous vulnerabilities. According to Microsoft, the flaw could allow an attacker to execute code remotely on a machine if someone using Internet Explorer goes to a hazardous web site, a hacking technique known as a drive-by download. Some websites, especially ones that have user-provided content or advertisements, could be rigged to take advantage of the vulnerability. "In all cases, however, an attacker would have no way to force users to visit these websites. Instead, an attacker would have to persuade users to visit web site., typically by getting them to click a link in an e-mail message or Instant Messenger message that takes users to the attacker's web site." according to the advisory.
Microsoft has issued a list of affected software. This list includes Office XP Service Pack 3, 2003 Service Pack 3, multiple versions of Internet Security and Acceleration Server and Office Small Business Accounting 2006 as well as others. However, until a patch is ready, Microsoft said one option for their administrators is to disable Office Web Components from running in Internet Explorer which they have even provided instructions on.
No comments:
Post a Comment