Flaw found in Office 2007

By Dawn Kawamoto
Staff Writer, CNET News

Share
- Digg
- Del.icio.us
- Reddit
- Facebook
- Google
- Newsvine
- Yahoo! Bookmarks
- Twitter
- Stumbleupon
E-mail
Print

Related Stories: Microsoft to deliver patches by the dozen
February 8, 2007; Windows, Office to get 'critical' fixes
January 4, 2007; Office hit by another security problem
June 22, 2006

Researchers have discovered a "highly critical" security flaw in newly released Office 2007, despite Microsoft's efforts to deliver its most secure version yet of the productivity software.

The consumer version of Office 2007, which launched only four weeks ago, is designed to withstand higher scrutiny by malicious code writers, as Microsoft subjected the software to code auditors as part of its security development lifecycle.

But researchers at eEye Digital Security found a file format vulnerability in Microsoft Office Publisher 2007, which could be exploited to let an outsider run code on a compromised PC.

"We were surprised we could find a flaw so quickly (after Office 2007 launched) and one that was part of their core products," said Ross Brown, eEye's chief executive.

An attacker could create a malicious publisher file, he said. Once the recipient opens the file, he or she could find the system infected and susceptible to a remote attack.

Researchers at eEye used a standard process of code auditing in discovering the vulnerabilities, Brown added. He noted that Microsoft either did not do a "good job" with its code auditing, or it may not have had enough people working on such a task.

Microsoft, meanwhile, said it is investigating eEye's report of a possible vulnerability in Publisher 2007 and will provide users with additional guidance if necessary.

Executives at the software giant have recently said they expect security challenges to keep emerging, as an increasing number of devices connect to the Internet.

No public exploits have been reported in circulation for Publisher 2007 and, given Office 2007's recent release, the flaw may hold little attraction for attackers who may wish to concentrate on software that is in greater distribution, eEye said.

See more CNET content tagged:
eEye Digital Security, Microsoft Office 2007, Microsoft Office, auditing, flaw

Add a Comment (Log in or register) 17 comments

wait for it...
by bob blob February 23, 2007 2:38 PM PST: wait for it...; Reply to this comment

Flaw
by bradyme February 23, 2007 3:59 PM PST: The hole system is a flaw! Wht do ineed a gig of memory to just run the friken OS + Office! Is 2 gigs just to have a stable system to let me do what I want!! GHAWD!; Reply to this comment View all 3 replies
Processing

Office Flaw
by jevenew February 24, 2007 11:33 AM PST: I see your readers are still searching for that perfect bundle of software; you know the one. That perfect piece of software that all you do is turn on your PC and your job ends. The computer then reads your mind, and selects every different scenario that you might want, and proceeds to do it well.
You do have choices. You might write your own software, then you could blame yourself for the holes you say are in MS Office 2007.; Reply to this comment

Keep it in perspective...
by Microsoft_Facts February 24, 2007 4:01 PM PST: There are thousands, if not hundreds of thousands, of flaws in Microsoft Office products. There is one (1) known macro virus in all other non-Microsoft Office products combine the world over.

The flaw here is Microsoft's monopoly on Office products has been allowed to continue, costing society at large severe harm.; Reply to this comment View all 2 replies
Processing

Publisher 2007
by zaxt March 2, 2007 7:54 AM PST: I have been using Pub 2007 quite a lot for the past three days. Yesterday I started having alot of problems i.e. monitor settings, ITunes, and others. Could this be related to the Pub 2007 problem?; Reply to this comment

Latest tech news headlines

IBM invests in business partners' training
Posted in News - Business Tech by Colin Barker

October 11, 2008 5:01 PM PDT
Navy charters kite-powered cargo ship to deliver equipment
Posted in Military Tech by Mark Rutherford

October 11, 2008 11:03 AM PDT
FCC report negates free Internet interference claims
Posted in News - Wireless by Michelle Meyers

October 11, 2008 10:41 AM PDT
See all headlines

Resource center from News.com sponsors

You Need The Speed of Norton 2009

Introducing Norton Internet Security™2009

With one-click, one-minute install, under 8MB of memory usage and fewer, shorter scans, it's the fastest security suite anywhere. Norton. Smart Security, Engineered for Speed. Get a FREE trial today!

The Fastest Security Suite Anywhere

Experience the revolutionary Norton Internet Security™ 2009. With Norton™ Insight, a new feature, you get precision security that targets only at risk files for fewer, faster, shorter scans

Win a Trip to Space!*

Enter the Blast Off with Norton Sweepstakes for your shot at a trip to space. You could experience being fast and weightless, just like the new Norton 2009. *No purchase necessary; click for full details.

FREE Trial!

Act now to get your FREE trial of Norton Internet Security 2009. Try it for the protection. Love it for the speed

Norton Safe Web NEW!

A community-based system that rates web site safety

Norton Labs NEW!

Users can download new security technologies and share input directly with developers. Help us shape our future products!

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.

More feeds available in our RSS feed index.

Inside CNET News

Scroll Left Scroll Right

News - Business Tech
IBM invests in business partners' training
A business development fund aims to encourage its largest partners to take up more skills training around data centers.
Gallery
Photos: Top 10 reviews of the week
Military Tech
Navy charters kite-powered cargo ship to deliver equipment
The use of this new breed of sailing ship could reduce fuel costs by 20 to 30 percent, according to the ship's owners.
Coop's Corner
Ellison's mantra: Spend, baby, spend
It may be hell out there, but Oracle's chief tells shareholders the company still intends to shop for more acquisitions.
Video
Sprint launches Xohm WiMax
News - Wireless
FCC report negates free Internet interference claims
Report from commission engineers boosts plan to auction spectrum for free wireless Internet by dismissing concerns it would interfere with existing providers' signals.
Video
Talking with Newt Gingrich on tech, bailout
News - Politics and Law
President signs broadband data collection bill
The Broadband Data Act encourages wider collection of information regarding nationwide access to broadband.
News - Cutting Edge
Academics sink teeth into Yahoo search service
Yahoo hopes its Build Your Own Search Service program has piqued the interest of academic researchers. Next stop: start-ups.
Gallery
Photos: Cracking open Apple's revamped iPod Nano
Crossfade
Crooked Fingers, 'Phony Revolutions': Free MP3 of the Day
Download a free MP3 of "Phony Revolutions" courtesy of CNET Download Music.
Green Tech
Urban wind power inspired by ancient Persia
The shape of urban wind power continues to morph. The latest twist come from Windation, a company with a design inspired by centuries-old "wind catchers."