ZDNet UK


Skip to Main Content

ZDNet.co.uk - Winner of Best Business Website 2007
  1. Home
  2. News
  3. Blogs
  4. Reviews
  5. Prices
  6. Resources
  7. Community
  8. My ZDNet

 

ZDNet UK RSS Feeds


IT Jobs

Security threats Toolkit

Office flaws scupper Patch Tuesday

Joris Evers CNET News.com

Published: 11 Apr 2007 10:18 BST

  • Email
  • Trackback
  • Clip Link
  • Print friendly
  • Post Comment

A trio of what appear to be new, yet-to-be-patched flaws in Microsoft Office has surfaced, according to security researchers at McAfee.

The vulnerabilities were reported in online security forums on Monday, according to a posting on the McAfee Avert Labs blog on Tuesday. All but one of the flaws results in denial of service, meaning the application would crash, according to the blog post.

"There is one heap-overflow flaw that might be exploited for code execution," Karthik Raman, a McAfee researcher, wrote on the blog on Tuesday. Typically such flaws are exploited by tricking a targeted victim into opening a rigged Office document.

Watch this

Video: Windows cursor hack in action
Video Story Video Control Panel

Microsoft is investigating the bug reports as well, a company representative said in an emailed statement. Microsoft is not aware of any attacks that exploit any of the issues at this time, the representative said.

Word of the flaws comes on the day Microsoft issued five security bulletins as part of its monthly patch cycle. The company is still dealing with the aftermath of an emergency patch released last week.

"This is yet another time that zero-day flaws have been published around a Patch Tuesday, possibly to maximise the exposure to these flaws until the next month's Patch Tuesday," Raman wrote.

Cybercrooks have found that they can take advantage of Microsoft's security update cycle by timing new attacks right before or just after Patch Tuesday — the second Tuesday of each month when the software maker releases its fixes. Some security watchers have coined the term "zero-day Wednesday" to describe that strategy.

McAfee is still investigating the security vulnerabilities. They may not actually all be new, said Dave Marcus, security research and communications manager at the security firm. "Sometimes what people claim to be zero-days may in fact be related to something that's already known," he said.

Should the three Office bugs be new, the tally of zero-day vulnerabilities in the productivity suite waiting for a fix would jump to five. Microsoft did not deliver any patches for Office on Tuesday, despite two vulnerabilities in the software that have been previously disclosed, according to eEye Security's zero-day flaw tracker.

  • Email
  • Trackback
  • Clip Link
  • Print friendly Print with Dell

Did you find this article useful?
6 out of 8 people found this useful


Talkback

Post a comment


Full Talkback thread

2 comments

  1. "meaning the application would crash" Yellowcave
  2. "meaning the application would crash" ator1940

Related Links

More In Security threats



Company/Topic Alerts

Create a new alert from the list below:






Related Jobs

Systems Tester - Contract - Full life-cycle experience

Huxley associates reputable client require a systems tester to conduct testing and defect analysis on all technical projects and work to ensure ...

Operations Support Analyst

As an Operations Support Analyst your main responsibilities will involve: - Providing technical support in relation to the IT Infrastructure and ...

Embedded Software Engineer - Dundee 30 - 35k

We are looking for experienced Embedded Engineers to join an expanding team that includes software engineers and hardware engineers working closely ...

Featured Talkback

What was achieved there is recognised to be of fundamental importance to both winning the war (Churchill visited to say 'thank you' to them) and the development of the computer. Maybe Bill Gates doesn't want to support this museum because it underlines where electronic computing started i.e. here, not the U.S.

By: 1000103773

Read full story:
Bletchley Park faces bleak future

Sentry Posts Blog

Skype - The Roach Motel

Here is an interesting article from The National Business Review, pointing out once again that you can never delete a Skype account. Never. Period. This is something I am familiar... More

Post a comment

The vPhone: Why Visa Should Go Mobile

The vPhone: Why Visa Should Go Mobile Author: Eric Everson, Founder MyMobiSafe.com With all of the success of Apple’s iPhone, there is a growing case to support a company like Visa... More

Post a comment

The Google Apple Merger: Fantasy or Fu...

The Google Apple Merger: Fantasy or Future? Author: Eric Everson, Founder MyMobiSafe.com Market research suggests that Microsoft controls upwards of 90% of the respective computer-based... More

1 comment

Featured Oracle Resources

businessfirst: Ideas to help small companies retain their successful entrepreneurial spirit

Oracle ONE Magazine: Technology solutions for midsized businesses February 2008 edition

Choosing a Reliable and Powerful IT Infrastructure at a Price You Can Afford

Database Consolidation: Reducing Cost and Complexity

Ensuring Data Protection for Growing Business

Oracle for medium and emerging businesses: protect, strengthen and enhance your organisation

Oracle partner network solutions catalogue

See All White Papers