Office software susceptible to attacks from hackers, Microsoft warns

Microsoft today warned that cyber-criminals could exploit a flaw in the company's Office software to gain access to a user's computer.

Newscom

July 14, 2009

Office, the best-selling desktop applications suite, has already been been hit by cyber-criminals – and could be hit again, if users don't take appropriate precautions.

That's the message today from the headquarters of Microsoft, which makes the Office software. The problem is rooted in ActiveX, a type of plug-in component that helps Web sites launch content-rich pages. This particular ActiveX plug-in facilitates the transfer of spreadsheets between the browser Internet Explorer and a variety of Office applications.

In a security bulletin, Microsoft said it had made available a temporary fix for the problem, which users must manually download to help prevent their PCs from attack. The company did not reveal how many machines had been hacked.

"Despite today's fixes, Windows users continue to be under attack. Microsoft is taking two steps forward, while attackers are putting it one step back," Dave Marcus, McAfee Inc's Avert Labs director of security research, told Reuters.

On its website, Microsoft said the vulnerability could "allow remote code execution" – meaning hackers could gain control of one or more computers through the Web. In a worst case scenario, a score of computers might be linked together in a botnet, and used to collect wide swaths of user data.

"Specifically, the vulnerability exists in the Spreadsheet ActiveX control and while we've only seen limited attacks, if exploited successfully, an attacker could gain the same user rights as the local user," Microsoft's Dave Forstrom wrote yesterday in a blog post.

As Brian Krebs of the Washington Post notes, Microsoft usually warns in these situations that they are aware of "limited" attacks.

"But in this case, the company, which is known for carefully wording its advisories, seems to have left that phrase out of its notice. It's not clear at the moment whether that means there are a large number of sites exploiting this flaw, or whether this is something of a policy shift for the company going forward aimed at not trying to downplay the severity of unpatched threats," Krebs writes.

Earlier this week, Microsoft Corp. issued test versions of Office 2010 to a handful of top-level testers. The software, which will feature free Web-based versions of programs such as Word and Excel, is still on track for release in the early part of next year.

---

For more tech news, follow us on Twitter, @csmhorizonsblog.