On the eve of Patch Tuesday, Microsoft is warning users about a flaw in Microsoft Office Web Components that is under attack.
Microsoft Office Web Components are a collection of Component Object Model (COM) controls for publishing and viewing charts, spreadsheets and databases on the Web. In this case, the vulnerability lies in the Spreadsheet ActiveX control. According to a Microsoft advisory, a hacker can exploit the situation to gain the same user rights as the local user.
When the ActiveX control is used in Internet Explorer, the control may corrupt the system state in such a way that an attacker could run arbitrary code, the advisory states.
"We're currently investigating the issue as part of our Software Security Incident Response Process [SSIRP] and [are] working to develop a security update," blogged Dave Forstrom, group manager for Microsoft security response communications team. "This update will be released once it reaches an appropriate level of quality for broad distribution."
As a workaround, Microsoft suggests users consider disable attempts to instantiate a COM object in Internet Explorer by setting the kill bit for the control in the registry. Directions on how to do this can be found in the "workaround" section of the advisory.
The vulnerability impacts the following software: Microsoft Office XP Service Pack 3, Microsoft Office 2003 Service Pack 3, Microsoft Office XP Web Components Service Pack 3, Microsoft Office Web Components 2003 Service Pack 3, Microsoft Office 2003 Web Components for the 2007 Microsoft Office system Service Pack 1, Microsoft Internet Security and Acceleration Server 2004 Standard Edition Service Pack 3, Microsoft Internet Security and Acceleration Server 2004 Enterprise Edition Service Pack 3, Microsoft Internet Security and Acceleration Server 2006, Internet Security and Acceleration Server 2006 Supportability Update, Microsoft Internet Security and Acceleration Server 2006 Service Pack 1 and Microsoft Office Small Business Accounting 2006.
Tomorrow, Microsoft is expected to release six Patch Tuesday security bulletins, including fixes for vulnerabilities in the DirectShow and Video ActiveX Control components that have also been the subject of attacks.