Microsoft Warns Users About New Office Flaws

With many users still reeling in the wake of the Blaster worm and its offspring, Microsoft has warned that its widely used Office productivity software contains several newly discovered security holes.

The company issued a security bulletin Wednesday, saying one of the flaws warrants a “critical” rating — its most serious classification. That vulnerability involves code underlying Visual Basic for Applications (VBA), which enables customized applications to be run within Office and could allow an attacker to gain control of a machine remotely.

Microsoft indicated it was unaware of any successful or attempted attacks exploiting the flaws, but the company urged users of a range of Office products, including most versions of Access, Word, Excel and PowerPoint, to apply a patch as soon as possible. Microsoft defines critical flaws as those that could allow Internet-based attacks without requiring action on the user’s part, such as opening an executable file.

Double-Edged Sword

Microsoft’s decision to publish the warnings underscores its tenuous position with regard to the security of its products, which are a favorite target of hackers because of their ubiquitous and high-profile nature, industry analyst Rob Enderle told the E-Commerce Times.

“If they release a bulletin, they are criticized because their products aren’t secure enough, and if they don’t, they run an even greater risk,” Enderle said. “Microsoft has clearly dedicated a lot of time and corporate resources to getting security under control, but it’s going to take some time.”

He added that because much of the code underlying Windows has not changed substantially in 20 years, it is a prime target for miscreants.

Holding Up

Still, despite the barrage of media coverage generated by the Blaster worm and its fallout — and the SQL Slammer worm that ravaged the Internet backbone earlier this year — Microsoft has not suffered immediate damage to its business, by all accounts.

Although Sun tried to use Blaster to tout its open-source desktop offering, and others have said Microsoft’s woes give Linux options a major boost, Microsoft’s share price has held up relatively well. The company’s stock was trading at US$28.21 Thursday morning, down about a dollar from its 52-week high.

Not So Bad

The three other flaws were considered less serious. One rated only a “moderate” threat categorization, while two were rated “important.”

The flaws include an “important” vulnerability in some versions of Word that can result in macros running automatically, an “important” buffer overrun vulnerability in a program that converts documents to Word from WordPerfect, and a “moderate” vulnerability in the Access Snapshot Viewer.