[ISN] Microsoft Yanks Office Tools After Security Report

From: InfoSec News (isnat_private)
Date: Fri Apr 26 2002 - 01:08:18 PDT

  • Next message: InfoSec News: "[ISN] We're Watching You"

    By Brian McWilliams, Newsbytes
    25 Apr 2002, 10:39 AM CST
    Microsoft [NASDAQ:MSFT] has removed a collection of tools for its
    Office suite following an independent report that the tools may open
    security vulnerabilities.
    According to a series of April 8 advisories from Israel's GreyMagic
    Security, the latest versions of Microsoft's Office Web Components
    (OWC) can enable malicious Web sites or e-mails to perform several
    The attacks, which involve Microsoft's Internet Explorer (IE) browser,
    include reading local files on the victim's computer, running scripts
    even when scripting has been disabled, and accessing the contents of
    the system's clipboard.
    The page at Microsoft's site for downloading OWC currently states,
    "This download is temporarily unavailable. Thank you for your
    According to a copy of the page available in the Google search
    engine's cache, Office Web Components version 10 is automatically
    installed by Office XP Setup. OWC version 9 is installed by Office
    GreyMagic's advisories said Microsoft has been informed and is
    investigating the security issues.
    Microsoft officials were not immediately available for comment.
    Until a patch is available, GreyMagic said concerned Office users can
    protect themselves from OWC-related attacks by disabling ActiveX
    support in IE, or by uninstalling OWC.
    In an e-mail interview today, a GreyMagic representative said the
    company disagreed with Microsoft over whether to wait for a patch to
    be available before releasing its advisory.
    "Our opinion was that early release would help stop exploitation
    sooner because workarounds will be applied. Their opinion was that
    customers prefer to stay exploitable for months and do a one-time
    patch when Microsoft releases the patch," said the GreyMagic official.
    According to Microsoft, Office Web Components is a collection of
    Component Object Model (COM) controls for publishing spreadsheets,
    charts and databases to the Web, and for viewing the published
    components in addition to Data Access Pages on the Web.
    GreyMagic's advisories are at http://sec.greymagic.com/adv/
    Microsoft's OWC download page is at
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Fri Apr 26 2002 - 04:31:13 PDT