Flaws Found In MS Office’s HTML Tools

An Israeli software company has pointed out potential security flaws in a
group of HTML tools for Microsoft’s Office software.

GreyMagic Security posted advisories that the Office Web Components (OWC),
which includes HTML tools for spreadsheets, charts, tables, and databases
suite, is automatically downloaded with all Office products.

According to GreyMagic, the problems were all discovered in late February
and posted on its Web site April
8. GreyMagic said a kink in the scripting command could allow scripting to
be run even when disabled. Also, the group said OWC’s spreadsheet component
could allow another party to gain control of the clipboard, and add and read
data. Another advisory warned OWC’s spreadsheet could be used to access
local files.

A spokesman for Microsoft was unable to comment on the reported security
flaws, but Microsoft’s download
page for OWC says that it is “temporarily unavailable.”

A spokesman for GreyMagic stated in an email interview that the group
notified Microsoft of the security problems in early April.

“Microsoft was notified approximately a week before the release, which was a
compromise between immediate release and what Microsoft likes to call
“responsible disclosure,” the spokesman said. We felt that waiting until
Microsoft will finally release a patch (at least a month and a half) would
really be irresponsible (towards IE and Office customers).”

GreyMagic suggests users disable ActiveX in Internet Explorer or uninstall
OWC until a patch is made available.

The security flaws were first reported in The Register.

Microsoft has had its share of security headaches. Notably, the software
giant’s Window XP operating system, billed as the most secure it ever
produced, had a
serious flaw that left it open to a potential malicious attack. The
company issued a patch in December 2001 for all XP users.

GreyMagic’s spokesman said Microsoft responded to each of the eight security
flaws it has pointed out.

“Microsoft was very fast to respond on each of the vulnerabilities we
reported, and immediately opened investigations,” the spokesman stated. “We
can only wish that their patches would have been released as quick as their
responses.”