Advertisement
Promo

Security threats Toolkit

Office flaws scupper Patch Tuesday

Joris Evers CNET News

Published: 11 Apr 2007 10:18 BST

  • Email
  • Trackback
  • Clip Link
  • Print friendly
  • Post Comment

A trio of what appear to be new, yet-to-be-patched flaws in Microsoft Office has surfaced, according to security researchers at McAfee.

The vulnerabilities were reported in online security forums on Monday, according to a posting on the McAfee Avert Labs blog on Tuesday. All but one of the flaws results in denial of service, meaning the application would crash, according to the blog post.

"There is one heap-overflow flaw that might be exploited for code execution," Karthik Raman, a McAfee researcher, wrote on the blog on Tuesday. Typically such flaws are exploited by tricking a targeted victim into opening a rigged Office document.

Watch this

Video: Windows cursor hack in action
Video Story Video Control Panel

Microsoft is investigating the bug reports as well, a company representative said in an emailed statement. Microsoft is not aware of any attacks that exploit any of the issues at this time, the representative said.

Word of the flaws comes on the day Microsoft issued five security bulletins as part of its monthly patch cycle. The company is still dealing with the aftermath of an emergency patch released last week.

"This is yet another time that zero-day flaws have been published around a Patch Tuesday, possibly to maximise the exposure to these flaws until the next month's Patch Tuesday," Raman wrote.

Cybercrooks have found that they can take advantage of Microsoft's security update cycle by timing new attacks right before or just after Patch Tuesday — the second Tuesday of each month when the software maker releases its fixes. Some security watchers have coined the term "zero-day Wednesday" to describe that strategy.

McAfee is still investigating the security vulnerabilities. They may not actually all be new, said Dave Marcus, security research and communications manager at the security firm. "Sometimes what people claim to be zero-days may in fact be related to something that's already known," he said.

Should the three Office bugs be new, the tally of zero-day vulnerabilities in the productivity suite waiting for a fix would jump to five. Microsoft did not deliver any patches for Office on Tuesday, despite two vulnerabilities in the software that have been previously disclosed, according to eEye Security's zero-day flaw tracker.

  • Email
  • Trackback
  • Clip Link
  • Print friendlyPrint with EPSON

Did you find this article useful?
6 out of 8 people found this useful


In association with HP

Talkback

Post a comment


Full Talkback thread

2 comments

  1. "meaning the application would crash" Yellowcave
  2. "meaning the application would crash" ator1940

Related Links

More In Security threats


Company/Topic Alerts

Create a new alert from the list below:






Related BlackBerry Resources

Protecting the BlackBerry Device Platform Against Malware

BlackBerry Devices with Bluetooth - Security Overview

BlackBerry Enterprise Server IT Policy

BlackBerry Enterprise Solution - Security Technical Overview

BlackBerry Enterprise Solution and RSA SecurID

CIO's Guide to Mobile Security

See All White Papers

Video icon

Video

Sentry Posts Blog

McKinnon lawyers seek judicial review

Lawyers seeking a judicial review for Nasa hacker Gary McKinnon lodged fresh evidence of his psychiatric state at the High Court on Thursday. Karen Todner, McKinnon's solicitor,... More

1 comment

Beware of keeping your head in the clo...

Information security professionals can look forward to a deepening appreciation for their skills as security continues to be recognised as an essential element for doing business in... More

1 comment

Civil liberties groups attack file-sha...

Civil liberties and digital rights organisations have strongly criticised Lord Mandelson's Digital Economy Bill. Liberty said in a position paper on Tuesday that the bill, part of... More

Post a comment


Skip Sub Navigation Links to CNET Brand Links

Help

Become part of the ZDNet community.

ALL TOOLKITS

Blogs

Newsletters