http://www.newsbytes.com/news/02/176138.html By Brian McWilliams, Newsbytes REDMOND, WASHINGTON, U.S.A., 25 Apr 2002, 10:39 AM CST Microsoft [NASDAQ:MSFT] has removed a collection of tools for its Office suite following an independent report that the tools may open security vulnerabilities. According to a series of April 8 advisories from Israel's GreyMagic Security, the latest versions of Microsoft's Office Web Components (OWC) can enable malicious Web sites or e-mails to perform several attacks. The attacks, which involve Microsoft's Internet Explorer (IE) browser, include reading local files on the victim's computer, running scripts even when scripting has been disabled, and accessing the contents of the system's clipboard. The page at Microsoft's site for downloading OWC currently states, "This download is temporarily unavailable. Thank you for your patience." According to a copy of the page available in the Google search engine's cache, Office Web Components version 10 is automatically installed by Office XP Setup. OWC version 9 is installed by Office 2000. GreyMagic's advisories said Microsoft has been informed and is investigating the security issues. Microsoft officials were not immediately available for comment. Until a patch is available, GreyMagic said concerned Office users can protect themselves from OWC-related attacks by disabling ActiveX support in IE, or by uninstalling OWC. In an e-mail interview today, a GreyMagic representative said the company disagreed with Microsoft over whether to wait for a patch to be available before releasing its advisory. "Our opinion was that early release would help stop exploitation sooner because workarounds will be applied. Their opinion was that customers prefer to stay exploitable for months and do a one-time patch when Microsoft releases the patch," said the GreyMagic official. According to Microsoft, Office Web Components is a collection of Component Object Model (COM) controls for publishing spreadsheets, charts and databases to the Web, and for viewing the published components in addition to Data Access Pages on the Web. GreyMagic's advisories are at http://sec.greymagic.com/adv/ Microsoft's OWC download page is at http://office.microsoft.com/downloads/2002/owc10.aspx - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Fri Apr 26 2002 - 04:31:13 PDT