RealTime IT News

Flaws Found In MS Office's HTML Tools

An Israeli software company has pointed out potential security flaws in a group of HTML tools for Microsoft's Office software.

GreyMagic Security posted advisories that the Office Web Components (OWC), which includes HTML tools for spreadsheets, charts, tables, and databases suite, is automatically downloaded with all Office products.

According to GreyMagic, the problems were all discovered in late February and posted on its Web site April 8. GreyMagic said a kink in the scripting command could allow scripting to be run even when disabled. Also, the group said OWC's spreadsheet component could allow another party to gain control of the clipboard, and add and read data. Another advisory warned OWC's spreadsheet could be used to access local files.

A spokesman for Microsoft was unable to comment on the reported security flaws, but Microsoft's download page for OWC says that it is "temporarily unavailable."

A spokesman for GreyMagic stated in an email interview that the group notified Microsoft of the security problems in early April.

"Microsoft was notified approximately a week before the release, which was a compromise between immediate release and what Microsoft likes to call "responsible disclosure," the spokesman said. We felt that waiting until Microsoft will finally release a patch (at least a month and a half) would really be irresponsible (towards IE and Office customers)."

GreyMagic suggests users disable ActiveX in Internet Explorer or uninstall OWC until a patch is made available.

The security flaws were first reported in The Register.

Microsoft has had its share of security headaches. Notably, the software giant's Window XP operating system, billed as the most secure it ever produced, had a serious flaw that left it open to a potential malicious attack. The company issued a patch in December 2001 for all XP users.

GreyMagic's spokesman said Microsoft responded to each of the eight security flaws it has pointed out.

"Microsoft was very fast to respond on each of the vulnerabilities we reported, and immediately opened investigations," the spokesman stated. "We can only wish that their patches would have been released as quick as their responses."