Information Security News mailing list archives
Microsoft Yanks Office Tools After Security Report
From: InfoSec News <isn () c4i org>
Date: Fri, 26 Apr 2002 03:08:18 -0500 (CDT)
http://www.newsbytes.com/news/02/176138.html By Brian McWilliams, Newsbytes REDMOND, WASHINGTON, U.S.A., 25 Apr 2002, 10:39 AM CST Microsoft [NASDAQ:MSFT] has removed a collection of tools for its Office suite following an independent report that the tools may open security vulnerabilities. According to a series of April 8 advisories from Israel's GreyMagic Security, the latest versions of Microsoft's Office Web Components (OWC) can enable malicious Web sites or e-mails to perform several attacks. The attacks, which involve Microsoft's Internet Explorer (IE) browser, include reading local files on the victim's computer, running scripts even when scripting has been disabled, and accessing the contents of the system's clipboard. The page at Microsoft's site for downloading OWC currently states, "This download is temporarily unavailable. Thank you for your patience." According to a copy of the page available in the Google search engine's cache, Office Web Components version 10 is automatically installed by Office XP Setup. OWC version 9 is installed by Office 2000. GreyMagic's advisories said Microsoft has been informed and is investigating the security issues. Microsoft officials were not immediately available for comment. Until a patch is available, GreyMagic said concerned Office users can protect themselves from OWC-related attacks by disabling ActiveX support in IE, or by uninstalling OWC. In an e-mail interview today, a GreyMagic representative said the company disagreed with Microsoft over whether to wait for a patch to be available before releasing its advisory. "Our opinion was that early release would help stop exploitation sooner because workarounds will be applied. Their opinion was that customers prefer to stay exploitable for months and do a one-time patch when Microsoft releases the patch," said the GreyMagic official. According to Microsoft, Office Web Components is a collection of Component Object Model (COM) controls for publishing spreadsheets, charts and databases to the Web, and for viewing the published components in addition to Data Access Pages on the Web. GreyMagic's advisories are at http://sec.greymagic.com/adv/ Microsoft's OWC download page is at http://office.microsoft.com/downloads/2002/owc10.aspx - ISN is currently hosted by Attrition.org To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY of the mail.
Current thread:
- Microsoft Yanks Office Tools After Security Report InfoSec News (Apr 26)