Office Exploits Rear Their Ugly Heads

Talk about timing. Just as Microsoft was issuing its monthly array of patches, three new vulnerabilities for Office were exposed. Fortunately, it was not one of those situations where the viruses were timed to come out after Patch Tuesday. Rather, it was a bit of good luck.

McAfee’s Avert Labs reports there are three exploits. Two cause a denial-of-service within the infected computer, throttling the CPU to 100 percent and slowing it way down. The third is reported to be a buffer overflow that allows for remote code execution, but Microsoft  is denying that.

David Marcus, security research and communications manager for Avert, told internetnews.com that the vulnerabilities don’t affect Office 2007, which Microsoft has confirmed. Two of the exploits affect Word and the third affects the HLP files in Office’s help system.

Marcus said that the code Avert obtained was proof of concept and not really capable of doing anything. But proof-of-concept malware  inevitably means the bad stuff is on its way.

“What [virus writers] do is circulate the sample code on the underground amongst themselves to modify it and make it more impactful. They are very good at information sharing there,” he said.

Marcus felt it was odd that sample code got out so soon, since it’s in an inert stage. The code was posted to a secret forum for combating viruses by a source Marcus would not identify.

“If I could put my guessing hat on, probably a good-guy security researcher came across these proof of concept codes and decided to share them with the security community. What happened is the rest of the security community got a look at these before it got fleshed out,” he said.

Microsoft has yet to say anything on its Security Response Center blog, where it usually announces such findings. The company, along with McAfee  and other antivirus vendors, are still doing their source code forensics.

In a statement, Microsoft said it is investigating “new public reports of possible vulnerabilities in Microsoft Office. Microsoft is not aware of any attacks attempting to use the reported vulnerability or of customer impact at this time. Microsoft will continue to investigate the public reports to help provide additional guidance for customers as necessary.”

This would bring the number of outstanding Office security issues to four, as one buffer overflow, CVE-2007-0870, has been hanging fire since February.

Even if Microsoft chooses to wait until the scheduled patches in May, McAfee and other antivirus vendors will provide their own protections. “Mind you, it would be better for them to patch sooner rather than later, but from our point of view, we’re providing protection for it,” said Marcus.