This is Dave Forstrom, group manager for our security response communications team. We have just posted Microsoft Security Advisory 973472, which highlights a vulnerability in Microsoft Office Web Components. Specifically, the vulnerability exists in the Spreadsheet ActiveX control and while we’ve only seen limited attacks, if exploited successfully, an attacker could gain the same user rights as the local user.
Products affected are Microsoft Office XP Service Pack 3, Microsoft Office 2003 Service Pack 3, Microsoft Office XP Web Components Service Pack 3, Microsoft Office Web Components 2003 Service Pack 3, Microsoft Office 2003 Web Components for the 2007 Microsoft Office system Service Pack 1, Microsoft Internet Security and Acceleration Server 2004 Standard Edition Service Pack 3, Microsoft Internet Security and Acceleration Server 2004 Enterprise Edition Service Pack 3, Microsoft Internet Security and Acceleration Server 2006, Internet Security and Acceleration Server 2006 Supportability Update, Microsoft Internet Security and Acceleration Server 2006 Service Pack 1, Microsoft Office Small Business Accounting 2006.
We’re currently investigating the issue as part of our Software Security Incident Response Process (SSIRP) and working to develop a security update. This update will be released once it reaches an appropriate level of quality for broad distribution.
Additionally, we are actively working with partners in our Microsoft Active Protections Program (MAPP) as well as the Microsoft Security Response Alliance (MSRA) to share information that they can use to provide broader protections to customers.
Although the Microsoft Office Web Components ActiveX control has been deprecated for some time now, we still recommend customers implement the workarounds as provided in the Advisory. This can be done either manually, using the instructions in the Workaround section, or automatically, using the solution found in Microsoft Knowledge Base Article 973472.
For more technical details on the Advisory, please see what our colleagues have written over on the Security Research & Defense blog.
As always, be sure to check back here on the MSRC blog or in the Advisory for any additional information or updates that develop.
*This posting is provided “AS IS” with no warranties, and confers no rights*