|
|
|
MS First Look: Word 2007 Not Bitten by Bugs
By: Brian Prince
2007-04-11
Article Rating: / 0
There are 0 user comments on this Network Security & Hardware story.
Microsoft says it is still investigating reports of posted security holes, but it has found no evidence that the Office 2007 suite is vulnerable to the reported flaws.Microsoft says a preliminary investigation into reports of vulnerabilities in its Office 2007 suite has produced no evidence of a threat to users.
Reports of new security holes in MS Office have been made public on known exploit sites, including information about four bugs posted on one site. Microsoft has not released specific information about the vulnerabilities, citing potential risk to users.
"Microsofts initial investigation has found that none of these claims demonstrate any vulnerability in Word 2007 or any Office 2007 products," a company spokesperson said April 11. "Our investigation into the possible impact of these claims on other versions of Microsoft Office is continuing."
The reported flaws were uncovered by Mati Aharoni of Offensive-Security.com, in Israel. He said he was not searching for vulnerabilities in Word, but stumbled upon them while developing Offensive-Security.com course materials.
"I ran a character substitution script on several Windows file formats and was left dazed by the results," he said. "The vulnerabilities I released to the public were the least dangerous of my findings—most resulted in DOS only—actually getting code to execute via these bugs is highly improbable."
Two of these documents show how Word 2007 could trigger a "CPU exhaustion." A third vulnerability, also concerning Word 2007, could supposedly allow remote code execution. The fourth alleged vulnerability, which concerns the ".hlp" extension for Windows help files, could cause a heap overflow condition.
 For advice on how to secure your network and applications, as well as the latest security news, visit Ziff Davis Internets Security IT Hub.
Aharoni said he has received several messages from others confirming that the bugs crashed Word 2007. He posted screenshots of the crashes or CPU exhaustion conditions on his blog, and expressed confusion as to why Microsoft seems unable to reproduce the conditions.
Through the company spokesperson, Microsoft stated the company may issue a security advisory or update if it is deemed necessary.
Click here to read more about the reports of Microsoft Word vulnerabilities being posted on exploit sites.
Karthik Raman, a researcher at McAfee, in Santa Clara, Calif., wrote in a blog post April 10 that the timing of publicizing of the potential vulnerabilities on exploit sites may not be coincidental. "This is yet another time that zero-day flaws have been published around a Patch Tuesday, possibly to maximize the publics exposure to these flaws until the next months Patch Tuesday," Raman wrote.
Andrew Storms, director of security operations at nCircle, in San Francisco, said the issue of responsible disclosure is a never-ending debate within the security space. He advocates responsible disclosure, defined as reporting a vulnerability to a vendor first and allowing the company a chance to fix it.
"It comes down to the question, Does responsible disclosure to the vendor deliver a better product? Does it force the vendor to fix it more quickly?" he said.
Aharoni said he has little patience for the formal disclosure process after having had disappointing experiences with it in the past.
"Microsoft has made huge leaps in security in the past years and I appreciate that," he said. However, he said, "As a Microsoft customer, I would like to see bugs patched quicker."
Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.
|
|
�������xV# XAny�\v-�il*v,tlg̝�\}%YK|8��6Pյ�
l]BR("�
Bo�Qȅ3"9)ٝf?O-��Ijy6�`ḞS�o92p}#�
�tӌ5r9:!s
��p��TΛ��D!H/�ԎT�a@]2h�ֵ[k2"owekh cߨ�Y�``1\�X/�x�uOpfzN|�Qǚh]
](
ѼG�eHTަèuB)>S=*2pНĉ,}!*Ka�>"E%S5E�pHԤ#|x\gg�x2+���X]~�D4��خq�8]�b'(#O^2j��bㅨ�H�a=c 9t}�^�
GgJ;r{�'
�ڪ8NfQ% F:pm3C������k>LN\CZ��ˆ辥�$�)5�u= \k4"54cT8iu8D7�d0F#�+F~m�6�)L|H�Cɤ:Ѱاz�r$˺7)hm�wya4T:ԪR+TCxXsމ*����1݇飅K
wΨn{UMSU:GB���q�غs��m)=x]
!LeUc��i^`oe}#1��UJ� Z.�
I�/LZH���͖P� /jQҋ[N-�����մR�ija�[�E�4dEUC$vw*ZZWM"MuX6&�Zh�C�A+@t?C{ˠrq{vzrq۾:vY熜>OZ]$O't2 +?:V�'_W[Uկ7#>�߮A&�]8Z�/'$'mDO{��`HםBi۲ܺʑ\�y�ɽ��aXY|Tͼ�94-��I`�fo$�E@[-�u��( K:���YKc7B�
u%u_ϝ�5��Hr
Ca)#8?c݇E��pJq�䨉kXSl� �\�{R<��fu"* b�4r�ݠQ�}N�}�%M��1F|r/�̤"`Q%
�.��
'�LL�l8O�ٹ>rYYT'*daeAUisӟgxE�ޡ:Yp:%U.[n}�8^$glh|�*0']ez|�c\Z�7W�J0Q�wOV)AbVʡ~X8ʕ ?6n!SG�ñA���&�S;n�N�(��NPg}0}BMk:�tIF$�>2胎:m8�5ƹ�"�
47P}HG:qI�$3p�w�>>Gz9ԩ(�鋥�*L�@bhMhs!D�m�� *>r�l��8d�()s>yp;XL- 0ȃ�--�H�=�͋�����6
����2+?>�fCnH�}�PȀ�V�|`{ � �qm^l}`٠1 >5�%ѣ��q�0y zOE�Ч��g$D�!"�5i]N�P@B�r68
�-��4rr<����0{"!bTLk�['5TxB#�}Tz,�QMVR1b�-xkb�}I)l͌�eY&zOa,Ll���["0�9X����
5�j
h�+%Ƽ
f4\O5&C˰`�3� {[�We [0Xآ:!9A?a! q SQ��S:� ?�
!7!at]���<�V3,�+X5{8�qy�`Y@�{��tղyJ�ˁ
2$6�WB�>,˄F|\�6=c=϶'uXu�[�tu`|�d:.+�hm>xB,n�aDhI/3_iy9e~9Ꭴm[4�@>J�zS.Zqα�q�B&�k2H(A\g<)*h7.1A�/aڵ(^�wu}j
a�b�E���UV��LX�kX)Z%Y2g5�klP!�/Ȁ2�(M �Dgab\V1�`N��z6xI?�vl->u�_�PTN�zR��7v���J�iX�$l
M3r��&<�$��2n|N\��-�XЁUzsڳgw1잵��).߬p=nZ-��V!҃�E �LrCmP�
"�˞B{_��1�]X@C~.% giԏ5@&^`Gm��d�*9ЦmPܡkzĠ:lE֝�\Q6-D.-g��
\\�jpf
Z��Lp�s'A~A0,\y�.zM��v�V0ܓ�n�~��Paۘ;P}qAWl*IH�נbAQ)x�kMf"�9oQ3
�iȐ0ԁq�_HE�y�[+pp �B���U.(L,�:j� �
�[
Hg
[^z�o�C�z�O@
`QI�:lx"�B�S�ͧ]=1c�*�"L`B{@l�VB`��ZYUKZQT*Q�X7
CSFOX��5`}w8�ڗǸ>yo콻'F2M'Oo)ZAgf-%A��eT8ᘑe���1�0+��VW S#sP)ҘWF9 �.+�Nj�Z|j�+KV�=;i��gH?\3���O+q�%\ EY;[}l@)��tdx8)с,H���rUTՑnV
U�#����4T#��� ���a�{1�X�MQiR=�b�h�sm?O᧘Z1Ӂ P~�̸6u<�X\[��(``#>��N=�2�Ȩk
01-�dq]U*Ղʾ_i��7g}h��#RL@
���
Jg�8ZCA;eSt�}�@b%Raݔ5���"vzڀVI�JiQV0\,qi}�^�LZ\�?~Y�Lo';5�ם^tȴ�h�(� V|o��
g�R)ߦI3k/��cSȣ��#W5�9
d$frN��0p&z�.{5�?L'LKG_=,UAX!c��Ix}�wSO>�mǤ|o�,u-n1y��%Ŝ�QS�Oe�U�Yx#_7)~(\{C>�m�
^B>k�P�Q]|�UMBR%%%~티!WӂF�i-yB�[֒-3q܇�WJ8-�ܟ`"@N|G!Zݼ��erI8MYI�{K �K,%./@^�82zf�[(4]4V �V�3eԞfFK4
nҖq": �5e�VG*ݔ;Yժ�kVB �I@�; #vf?b�my`:Jw�E4qfn&)3ו.[^Hp���Os~̾n3Nrt V��VJrÎwlL2M�#u�(L!)j�>e.E�O.��lJpX�g(��,'�2�vB�k=�Ǔǻm�I75a
f)4<~r`�p=ȥ[hrc$ $"z��b״R#=<�j(V(Y?JoxqNL�v/?�B�_KMп�" }M�~_�Uv٭�b�}y�&,�!@O�cmw~D
�;>\e�^�2a]=W� +םn\�aaVy/��ЏWKΟ�Kx�VqoR#R�Tj_6߷hC�lYj2}�a'A.d�`_#!&}�̾{ymWϋitFi�^py+ s?@*ǝ^s)\6oėlO:��~SF.W-)�^s-o=�R#xP!5/X���G}9h5o�ϛM1+&03h@⑩�!�g`B�����`q,
'�st�V}{r
�qbQ6a4P돝%�}m�XLXoH}(_I�1�R����l��{B�,2�q^_4?72sE�6����^S�F(+b�K�"$DY |E�iM��^�f�+bt8DkEp_
,~)Fy.~y>~4~��0bIb^Kf+ƭԓN�I‐5�/(��.4tiN5hpF�Qxc�.A)6غ�J="c4�SJ"3pq*l�wI�e
ޜ,Hy9Yi@yjZӽM3JJdȣ�ϝm��I+
D$/CiA0'͋h!�,G7��<�m>Alb'hew*Bzc��`|x[r�)fp'x k��DaWy^=�;h7RÊN;�
>= m�3t[x��l\Q�mx��b1��@ݮn`e!̱�rn�f
~;j�vК��}FF֢n 8�V='39�Ϟ��1+6q�t�p�v#ȓ;A�\AzFTrk�]O}V7]�Yt�\H-�INt!i\uzykݐէ9ar܂.#A#Ԃ�>3Q�~�q�>P]l,=!GFzy>rB[�^vۭF]�f=/Gi]iw'ۻ�};q*A=wK�ȥ�G8wkP$��A}q�.e~W�(�R�=�
o.-\,s<5Q#�v9KrI·$2ρIV�#y�6Kh#j�v.bϝ%o��14�l*t_�nց0c�ԲمY鼳A�62� |@f��V�;R�\b��P`
�܍1�WD`HI@�ĩg6�@|אp�hZ1y�ancZ'Oq8|#؈fo_��ϒ�5oNOƂ1f̹7�cpߍ�2\o_m�XR|
��\�7�?Qg=n"7(S/�so�[[�V]:lQMo
w�x7�����GSwfd�Q�̺Z(ş�`ɤQ^1'g/'_wz�B�u�a;fs9�=�I˰تpHj(*˰Wt.J^9B[O] >5)v3[�[��1\*)/Mɯ]A�Ce���Ow
`��19��Pw�Ϩ1S)!_*>S_,c�6v�¡j;$
(oaJ]_)@r2vR��
+rUqqѝF4@#͜�k .s9Qv�c"Q�� �c�%8|Z3"%�*/x�0VH!:,V�b��MgJd]qy#�.+I�=ePnN�`cꔋnO�)XqL+WȴBrleH7.&�".�WU,E�Yh�1?[á�Г[l4�C@m}�h79$b4�GVQ�J9ՊM&eئt�O+s͛��#@Bٳ�͐Ƃ�O c1$>�tr}j?�j=N]-�vg6̓=1}N�rm5"Y��K09�Q]8JNS
Y`:rrJM�(gHJTt$iB�3~�>�G$�J8P��;=J���_D~�єb%BsxFW�v#6p_RUI-o歡7�Yԗ���^H�6(x"J>b��U�C����V�7}�XcN2п-r{�R"|lU$�l%yh@j[j=z��{\)J`�6`�-�o^�I�o{4^Py{
Reթʕ@�BY$x>`
]`�!�G�ȷEl[=��Cml^v+H*)LIZ��}����lo9$�0uwn���`D�X`b��h���v"#BxV-LUkQY+J,�MXTw��uNNzOC��I8RWP�C�*UUYC�8Ŝh L�&�p�����/�QFN5\=U7%�>8�^�����d컈f{&�\q-rXV�.B��6�ͲE[E�i�3=e���3
˱�]I��)7"7"7"7"�#r�3r#r"^ߖ,̒Mcu+q��PϞ��R7;dn�A-]�ar8Ev��G�����oƶ�AmU6$W3�̼�ļ�BW�ۺl�61H>>J�:q�wnaLxۼx'8GC{∜㻇.�$��S�O;�|�~%r�L!x5P�iEZtx�LjTʠ<�R+9,*rFʻoL4�U|r@�7kO+��q;=WfI��S�/
`�A0�cp���p_xImg�r䒣^]:�ܡt;3�(w N\t`�9 $>d�t���!��$��+a%=��gTڐx^ͨ~� h~y��\ՑYτƳr�'�&�o�A�0<�J�跣j&攋,oҦHb����"K ۶E�_1Ԓt B]Ğ�ݖ���b͞k곹�k[&PG� 'Ya�$!qU ^6�W>������{c�_D^U�$l }rRwNmSWe75m�,`jTpx,�_fe7}3h0L4Wk��c6K^J�s؍��jA�!^��
[�I��{ӱ66-t�Q{L��t)q�[`uny)l0(���xhZ#4SJ:nC{*Å�@&m|�ii"EtK",A������s���3*}m`v/@:|�C�\7Ŵ7����5W�N�v@�X&9)���#�b)B˰xQ/oC���0k��וi �:Mk�ո�a5��R3G1*g5.
�]I_w'=�I_64�M�Y|
�I}ֿpGnRzJ= {>����HO�6|?C\k6s=ݶG%�.}DN�6%ArW|koN�DA,0ě>>��論w�mX{`&$;2.LHjn�?hVr5l�0I#��ۀچű�6qxV�T~uσ dEյqdyN{��n].�Jhkk�rj�l��zlïn�Bf,�DS�XubE@4tF87ڟG2%,ℱfni��]�9SY�ErI5P�/"&L�G�{;k҃9:=u]��×�{2�j��Z}z_ګKۨ_xا%1A d^�mϗ+�IO�Ob�6Y3z��(�Őᨪ�6^�М�^0-7�[݃~Oe�
12��W+H"+Y:��z}3�Ǯ��?�I7�W^GcK�iwj�-�}�ލʳ_��dE'ٯ�Y6OXT�Pm5P�ӬfPu�ۿT'}d7Q>NSg2V�OB�R
Q�?OӐ��vk����kLj��3/D!PS�9�>�GI'�H${?F<#r�;µ(��#=��t�܆o%Upql?m�GR�`B��da"(9h�F�@�]o~4?|D?�SM}1�v◦>
y.V8΅c
{+=4i[�U4>(CZP"Z=��שM}�Is9�꒒|I|n @`jO�(&l\M��8�AXJzܘE
Pa C�_y�e%�HFPxAYL�^�z�82js~̙Tl��/ZNXD+cΩ˯ZE9Ts.��K\G(�z�dIK<�/ c|�RO�&o�K�J�9)֤}`�ɧ��j{-~+��IT�(-A8gh1.�=�HSr_�S#lzYC�'B/k&t];x�Ve
w̞j��mLZV9Owz��etg�O�%^Yѱ��lݹ[v��uCjy\`EE8eL�^JBH�@�#�Z��[l3,´oIe�H
ק6��}H�MDF0�V�2ԴRRj[n1|US*Z
ڒVRo4Jvs;(ELa�3r;c��±@��4 G
Keg~R?o*,|�70a2FԞ�ka*�
18b�bY&f&3Zɮi+o�_cLzG"Z�#�P3�SI�C7��uZmI�&�{|�>w�<
)�_K�~G�hMmãכ|W�.h|'O[ҥn,
M1�v>#o7IׄQT1E�+ :^A9(W�TOb;{�
Q�h�:���pXHu
Ga�|$�{�4m�#G�ij�Ӏ�#ϜT�<"a=X@2>��d2G�$}/'cW�db$@���C�_�Ѻm~Ezh/U{Z7]�d#)k�;66/Hql Y~h��Co�;�c�3�5$�d��V�d^�[:��Z�8<9�ܰn�o8g+H0jCB9҄&3_oʡR`��c�`
TpԢө����d5"&(q�iK87"ۄc�40
uA9@"\2}�Gx0S:WZ`q�&V"pϒw=�n9r:W�@Lg�>��tӀ9�s3��2S¤vt�X->=').yDci�� 8^iN4xXX�~!oX�2��u���}�}И1�RU+J)JTꪂ}�2l�S=VR*l<�WA~fY+{8�\OSr%+r�uVнA='i92dw4tܽ�@%�@�0>6#�Xw9�OsC"�ݓuݹ"ǭ-f¶-r5�u�wN?t?Z7^qfPv>4%ۼЗ6�/
�i/H]5/[LORʉhSgĥ,�e�5�E�^�*M�ٳ0k.(�E_C�ĸ�~4aa�01s<=iuzl%6v�g%8ٝ/,�665BnÇ(14czQe
r�!>.Z'=ҹj�Jkꋲ� Nj5Bk@&PjsM~�;k{O��5':�s�?�:kWOs|_{M>ӾZ�o\Oiu�X���Y3?05��~/�s�?05�\C@k�yj>B5&? ?_B|߫5{�s`_�Y�ȟ��Y#_>5Կ^S�f
tO0t|�w{@5'su��k#\�f|����o�ޮ[hvM@k/IҚu�ky�S*�5\x
/կ�?ˇ-ٚC_#
䯡�i7:k�5x.�r��]eߧoel־>霦�BR;�+]qu[xM}-kk[J1i5��v�B__�Ȧc����ˬ=�>7�ǴJ��x帝C&;Jٻ2o,7ocENj%&yQgΜ'8VɴFV�!,E�t��^Ul>܃f�cr�SFtOYȘ�OV/Җ1
B�>?�'v��d{��Mts��]�}w~0G0`\O{w8ƒ <0
5!&OtWfw�4)^�v�[r4יqE֢u�2�w8�������zY)W8#~uRC�zHyѿnoDg:�'[u}�Nz`MTT�N)pB
Co0�ݬ1zI�=���vڢ{��~38]opޓ17p�?{}��$u�\ԴZjRs�v俓�D2>2����z@�b�3jJ]N��laX��,g��/g�2�l]g�ZCO]3CX.x�n[t%~C P��x�>�YcE(~�+cXAV73��/Z��~*^�v�*i��(F<8)�܁2>�s>@mNu+z:`9?��Ӡo���guF�I�2ؐ$&ή�w�u¿�6гI�w&��ӄ�Y@DӼ���hգ�=đr(9T(YF�
D�\^:"&�3!U{��Txx e.�G�)��
��'�Q0Z�qǵ�en3 &��1icЁ/��CłvL(^
1�kEF(^l#by\rE\��u�;ݩ)4R�j9\4ˏA�nﺓs��:��K�ufp���R�)Հ`m�?6"8
sjٳg%&2]�|1�I:༓
+SE�1.�亄m���K:`/,g�px.o�Y:�P�^BDceB�� ^l��x$,)Rvא$q6Nip�@y��0p;'^�ܞ)'�|\��+֊u`_GBb 3;�23Ur&�aXzt>\Qo-Ìҷ��%,J$Xm%Ӿf$ӣ6Ʈ�G}M=�6~P&�S�
>��Ͷ�
U�^{�3�D3$(�z<��7)1@XY/�v8�:X5�m$��I�Kh<�W/[5�b8�gCJgrJz�c{]/I)�H[QȹT6JwvAo3[Y,�&���/ă_|
��/bz`#$}c,�ߚP
�DY��=
|^ZQؖ�{@6awW�ێWuENρD&&�`ɕX�)u��ȧln/d)0P�w4�q�¹">UJَR��h,8/3 +l;ms�z{ol�ȱȎ�by�I6/�՜'K@'mӥhW�Q7�V0^
瑎cϣ)K8~mA=fe{,-U��B@ɖ)�tnO[?Ca����7ś�
*~�~ X^b��0,2059'5+E��g�?i>=X�}/�#3!?M�jH"m-g^^jtaÿ�(ran��v� ��Aw�1\�2�_k:��ԂnK=��/{�&26�\�d`�!/9�(K�Áh@7yy3�v!?Af
!LПB?S8�?D/�V9�s#�ʇ{]�9��J"oF_Y̅�p�Z�03=�7~3S]K1`�Gz`�hlVpF]��xIN}�[8Lm^@�@�坩m3$+��F�*�V�dh�2
� Şg
dcdI�ˑ
��ɼgcW07��tbg4wP.(�Ma?йEIXeLtX9J+ /}V��UӍ>�2�)NNzfm1TV�SY�<�a0k;%6sG�i~\
�voR�Z6�#P�'U��O�sNLϛ4ܘG�D(;*R"t,Jen�ˆ^K+Sw
V`>7��.忓MtOn:��*b�Q<`V.o]*z
Z-&�o4�O?WNv�`Lm;"\XD�=I(�`�pT-j�"�%�SdnC3G뒎^|=�",��5f����%��|@vA#�@"0
?�I�_�n���Q*)xF"qOfH 5���3S-@6#З=܄X=&#\+��9b
�&zwd@]k�"W#[x_���͕:Mȟ-ؓx�>W?չy~ ?r;[�jA�,l�С&
�/6`77*9<`2Ȇ��jt-�Bsl����LF{}~F�PƖ�A/xfG-L7zGv+G(v⥛O^ �g=}1r<~
a"e�rcA*Wml4"}�{Vk|�� !ȦmbVh���O1:��=ck��J\�a�[#ю�Ź~;�!t=�b#v�+ �f�iHZ�,R pruhIE��<���'Pp�eಜs'�8�/d{DT&E�i1D\_
��c_֞):�G"J&t'[c(77rCFSs-ڧMؼۤANԯxk.N�S*!!y*fW�/�6]�ޟo�R(a7|�(Iy�[P/H1�r,ٖ|;�(7}�./8פS0f4��ÞGnvLb�1 @)w=qo��F&u�%5ZGR^Oebqx<ɾmߟdt.:7G�}G*q7�WRTF�Q<�e:7,��! +w<=m_O�WA̼Y�D�PSEf#|�Wy,AOw�Tje&B�V�:cS�Q1C'JZ�+=q����r�)�U凅2?~csM-=NCL�,��S>'r*3u�'斎M8�g;<�ͦ[�?ŇE�wX�/x�@��
|
Network Security & Hardware 
