Office 2007 May Have Taken Its First Hit

 
 
By Lisa Vaas  |  Posted 2007-02-23
 
 
 

And so it begins anew: Microsoft's security problems.

In what looks to be the first remotely exploitable bug in an Office 2007 application, Microsoft is now working with eEye Digital Security to dissect a high-severity flaw in Publisher 2007 that could let an attacker hijack a PC.

"This would be the first publicly reported vulnerability in Office 2007 if it is confirmed an exploitable vulnerability, however I want to clarify that it is too early to tell if this is actually an exploitable vulnerability," a Microsoft spokesperson said. "Microsoft is still investigating the potential vulnerability and will provide additional guidance to customers as necessary."

eEye reported the flaw on Feb. 16 and has sparse details available here. The only information eEye is making public is that the bug "allows arbitrary code to be executed in the context of the logged in user." The security company has a policy of allowing vendors 60 days to fix a reported flaw.

The Microsoft spokesperson said that Microsoft doesn't know of any attacks that have tried to leverage the flaw, nor has the company heard of any customers getting hit.

"Microsoft will continue to work with eEye to further understand this report as part of our standard MSRC [Microsoft Security Response Center] investigation process and will provide additional guidance for customers as necessary," the spokesperson said.

The spokesperson offered up an archive of Microsoft Security Bulletins and guidance for publicly disclosed vulnerabilities at Technet and at MSRC's blog.

For advice, Microsoft offered up its usual protect-your-PC blurb:

"As always, Microsoft continues to encourage customers to follow all of the steps of the 'Protect Your PC' guidance of enabling a firewall, applying all software updates and installing anti-virus and anti-spyware software," the spokesperson said. "Customers can learn more about these steps at www.microsoft.com/protect.

Office 2007 was made available to retail customers on Jan. 30, 2007, the same day of the formal launch to retail customers of Windows Vista (links to podcast). Vista, of course, is the security flag around which Microsoft has rallied: a complete do-over in terms of security.

Microsoft promised that Vista would cut off social-engineering attempts at the knees at the server level, for example. It also shipped with its own anti-virus features. That might have disgruntled security vendor partners, but they still showed up in force with Vista support.

Rocket Fuel