BNET UK
silicon.com
ZDNet UK

Home
News
Blogs
Reviews
Videos
Jobs
Resources
Community

Leader
Comment
White Papers
Downloads
Special Reports

Hardware
Software
Communications
Internet
Security
IT Management
Emerging Tech
Leader

Group Blogs
News Blog
Post Room
Rupert's Diary

Hardware Reviews
Software Reviews
Editors' Choice
Buyer's Guides
Tech Guides
Competitions

Dialogue Box
Security threats
Server platforms
Mobile devices
Application development
Full video index

Articles
White Papers
Downloads
Companies
Broadband Speed Test

People
Competitions
Post Room
FAQ

You are here: ZDNet UK > News > Software

Desktop platforms Toolkit

Office flaw exploit code published

Tags:
Access,
Exploit,
Flaw

Ina Fried CNET News

Published: 13 Apr 2005 10:40 BST

Microsoft is investigating the report of a flaw that could open systems using its Access or Office software up to attack.

The vulnerability, which was not one of eight patched by Microsoft on Tuesday, is in the Jet database engine component, according to an advisory posted the same day by security company Secunia. It could enable an intruder to remotely execute malicious code on a vulnerable PC, Secunia said.

Microsoft has not confirmed the existence of the security hole, which potentially affects software including Microsoft Office and the Microsoft Access database program.

Secunia rated the problem "highly critical", noting that exploit code for the flaw had been shared on a public mailing list.

"The vulnerability is caused due to a memory handling error when... parsing database files," Secunia said in its advisory. "This can be exploited to execute arbitrary code by tricking a user into opening a specially crafted '.mdb' file in Microsoft Access."

A Microsoft representative said on Tuesday that the company has not heard of any attacks on customers' systems using the unpatched security hole.

"We are aware of the exploit code that has been released," the Microsoft representative said, adding that the software maker would take appropriate action once it has completed its investigation of the problem.

The original alert regarding the flaw came from a security research firm called HexView, Secunia said.

Continuing an ongoing debate about when and how flaw finders should disclose vulnerabilities, Microsoft criticised the researchers for going public with the vulnerability, rather than privately contacting the software maker so a patch could be released when the flaw was disclosed.

"It is unfortunate that this researcher decided to post publicly," the Microsoft representative said.

HexView said in its own advisory that it notified Microsoft of the flaw on 30 March, but had received no response.

A Microsoft representative said the company had no record of any contact from HexView before the flaw was publicised.

Word of the problem comes on the same day Microsoft released fixes for eight other flaws, several of them critical, and some of them revealed publicly for the first time in the company's monthly security bulletin.

CNET News.com's David Becker contributed to this report.

Did you find this article useful?
71 out of 138 people found this useful

Share this article:
Digg
Slashdot
Del.ici.ous
Stumble
Reddit

Company/Topic Alerts

Create a new alert from the list below:

Microsoft
exploit

Flaw
Access

Video

Install Flash Player plugin

Find out more: From The Labs: A look at...

All videos
Most popular videos
Latest videos

Microsoft Windows 7 Special Report Special Report

How Microsoft can make Windows 7 a success

Comment Many businesses have given Vista a wide berth; Microsoft must focus on five areas to make sure Windows 7 doesn't suffer the same fate, argues TechRepublic's Jason Hiner