[prev in list] [next in list] [prev in thread] [next in thread] 

List:       isn
Subject:    [ISN] Microsoft Yanks Office Tools After Security Report
From:       InfoSec News <isn () c4i ! org>
Date:       2002-04-26 8:08:18
[Download RAW message or body]

http://www.newsbytes.com/news/02/176138.html

By Brian McWilliams, Newsbytes
REDMOND, WASHINGTON, U.S.A.,
25 Apr 2002, 10:39 AM CST
 
Microsoft [NASDAQ:MSFT] has removed a collection of tools for its
Office suite following an independent report that the tools may open
security vulnerabilities.

According to a series of April 8 advisories from Israel's GreyMagic
Security, the latest versions of Microsoft's Office Web Components
(OWC) can enable malicious Web sites or e-mails to perform several
attacks.
 
The attacks, which involve Microsoft's Internet Explorer (IE) browser,
include reading local files on the victim's computer, running scripts
even when scripting has been disabled, and accessing the contents of
the system's clipboard.

The page at Microsoft's site for downloading OWC currently states,
"This download is temporarily unavailable. Thank you for your
patience."

According to a copy of the page available in the Google search
engine's cache, Office Web Components version 10 is automatically
installed by Office XP Setup. OWC version 9 is installed by Office
2000.

GreyMagic's advisories said Microsoft has been informed and is
investigating the security issues.

Microsoft officials were not immediately available for comment.

Until a patch is available, GreyMagic said concerned Office users can
protect themselves from OWC-related attacks by disabling ActiveX
support in IE, or by uninstalling OWC.

In an e-mail interview today, a GreyMagic representative said the
company disagreed with Microsoft over whether to wait for a patch to
be available before releasing its advisory.

"Our opinion was that early release would help stop exploitation
sooner because workarounds will be applied. Their opinion was that
customers prefer to stay exploitable for months and do a one-time
patch when Microsoft releases the patch," said the GreyMagic official.

According to Microsoft, Office Web Components is a collection of
Component Object Model (COM) controls for publishing spreadsheets,
charts and databases to the Web, and for viewing the published
components in addition to Data Access Pages on the Web.

GreyMagic's advisories are at http://sec.greymagic.com/adv/

Microsoft's OWC download page is at
http://office.microsoft.com/downloads/2002/owc10.aspx



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo@attrition.org with 'unsubscribe isn'
in the BODY of the mail.
[prev in list] [next in list] [prev in thread] [next in thread]