A trio of what appear to be new, yet-to-be-patched flaws in Microsoft Office has surfaced, according to security researchers at McAfee.
The vulnerabilities were reported in online security forums on Monday, according to a posting on the McAfee Avert Labs blog on Tuesday. All but one of the flaws results in denial of service, meaning the application would crash, according to the blog post.
"There is one heap-overflow flaw that might be exploited for code execution," Karthik Raman, a McAfee researcher wrote on the blog on Tuesday. Typically such flaws are exploited by tricking a targeted victim into opening a rigged Office document.
Microsoft is investigating the bug reports as well, a company representative said in an e-mailed statement. The initial investigation has found that none of these zero-day claims demonstrates any vulnerability in the products of Office 2007, the latest version of Office, the representative said. Also, Microsoft is not aware of any attacks that exploit any of the issues at this time, he said.
In addition to the Office bugs, a zero-day vulnerability has been reported in Windows. Sample code that exploits a flaw in the way Windows handles help system files has been posted to the Internet.
"This is another heap-overflow flaw that might be exploited for code execution," McAfee's Raman wrote in an update to the Avert Labs blog late Tuesday.
Microsoft said it is aware of the issue. "Microsoft has listed .hlp files as unsafe file types and recommends customers exercise the same cautions with .hlp as .exe, as both file types are executable," it said. An attacker would have to use rigged .hlp files to exploit the flaw, according to Microsoft.
"This is yet another time that zero-day flaws have been published around a Patch Tuesday, possibly to maximize the exposure to these flaws until the next month?s Patch Tuesday," Raman wrote.
Cybercrooks have found that they can take advantage of Microsoft's security update cycle by timing new attacks right before or just after Patch Tuesday--the second Tuesday of each month when the software maker releases its fixes. Some security watchers have coined the term "zero-day Wednesday" to describe that strategy.
McAfee is still investigating the security vulnerabilities. They may not actually all be new, said Dave Marcus, security research and communications manager at the Santa Clara, Calif.-based security firm. "Sometimes what people claim to be zero-days may in fact be related to something that's already known," he said.
Should the three Office bugs be new, the tally of zero-day vulnerabilities in the productivity suite waiting for a fix would jump to five. Microsoft did not deliver any patches for Office on Tuesday, despite two vulnerabilities in the software that have been previously disclosed, according to eEye Security's zero-day flaw tracker.
try to say oh poor microsoft has just released a patch for other flaws and then the office ones come along
even if the office flaws were discovered 2 or three weeks ago, they still wouldnt be patched on this patch tuesday, they would be shelved for another patch tuesday in a couple of months or longer.
your story is misleading in the way patch tuesday works.
"Does this really even amount to news since Microsoft is dead and most people have switched to alternative products."
There are alternative products? I'm only aware of OpenOffice, and there's something for those Mac users I think, but I wasn't aware of any alternatives to MS Office.
"Does this really even amount to news since Microsoft is dead and most people have switched to alternative products."
There are alternative products? I'm only aware of OpenOffice, and there's something for those Mac users I think, but I wasn't aware of any alternatives to MS Office.
Only one of these bugs is potentially exploitable so the rest are called "Denial Of Service" exploits. There should be a new classification called "Useless" because the end-user has to open a file with this bug embedded in it and then sees the program crash because of the bug. That's hardly a denial of service and there's no self respecting hacker who'd use such a crash to "deny service" to someone.
Apple says it's got a third-party group looking for issues at manufacturing partners it uses. Read CNET's FAQ to find out how we got here, and what the next steps are.
Tommy Jordan, the man who shot his daughter's laptop for YouTube, gets a visit from police and child protection services. Oh, and Good Morning America.
Proposal provides $140 billion for research and development of technologies such as clean energy, wireless communications, and cybersecurity--a 5 percent increase over 2012.
Along with green-lighting Google's buy of Motorola, the Justice Department today OKs an Apple-Microsoft-RIM partnership deal to buy Nortel patents, and Apple's plan to acquire Novell patents.
Chamtech's spray-on antenna uses a nano material to provide a low-power boost to antenna range. The wireless-in-a-can product may some day bring an end to unsightly cell towers.
There are a lot of things that AT&T's humongous Samsung Galaxy Note smartphone is, like a digital memo pad, a medium-size reader, and a great photo companion.
EnerG2 opens a plant to make an engineered carbon that will improve performance of energy storage devices and make storage for start-stop hybrid cars less expensive.
even if the office flaws were discovered 2 or three weeks ago, they still wouldnt be patched on this patch tuesday, they would be shelved for another patch tuesday in a couple of months or longer.
your story is misleading in the way patch tuesday works.
n3td3v
There are alternative products? I'm only aware of OpenOffice, and there's something for those Mac users I think, but I wasn't aware of any alternatives to MS Office.
There are alternative products? I'm only aware of OpenOffice, and there's something for those Mac users I think, but I wasn't aware of any alternatives to MS Office.
The begonewith patch is otherwise known as the "Linux" patch...
Use it and be gone with Microsoft flaws for ever!!! (* GRIN *)
Walt