Microsoft plugs critical Office holes

Microsoft Corp. warned of three vulnerabilities in software that allow users to view and edit Office documents in a Web browser. The most serious flaw, rated “critical,” could give an attacker full control over a user’s PC.

All three vulnerabilities exist in the spreadsheet component of Office Web Components (OWC), software that provides limited Office functionality in a Web browser without the need for Office to be installed, Microsoft said Wednesday in a security bulletin announcing a fix for the flaws.

OWC is shipped with various Microsoft products, including Office, and is also available as a separate download.

Microsoft’s severity rating for standard computers is “critical,” while the vulnerabilities present only a “moderate” risk to Internet and intranet servers, the Redmond, Wash., company said.

The most serious vulnerability lies in the “Host()” function of the spreadsheet OWC component. An attacker could take any action on a PC that the user could by sending a specially-crafted HTML (Hypertext Markup Language) e-mail or luring the user to a Web site containing the special HTML page, Microsoft said.

The other two vulnerabilities lie in the “LoadText()” and “Copy()/Paste()” methods of OWC. These expose files and the clipboard contents on a user’s system. To read files, an attacker would have to know the location of the files and the files have to be readable through a Web browser, limiting the scope of the vulnerability, Microsoft said.

That’s incorrect, according to security experts at GreyMagic Software, who say they first reported the three vulnerabilities to Microsoft almost five months ago. The “LoadText()” flaw allows an attacker to read any file, they said in an e-mail to the IDG News Service. Microsoft, also informed by GreyMagic, issued a revised security bulletin late Thursday, correcting its first bulletin on this point.

Also, GreyMagic criticized Microsoft for not permanently disabling the associated ActiveX control. ActiveX controls are single purpose computer programs. The so-called “Kill Bit” is not set on the control, which means an attacker could remotely reinstall the vulnerable control. Microsoft acknowledges this, but contends it would be hard to reinstall the vulnerable control without the user noticing because the OWC package is 7MB in size.

GreyMagic disagrees, stating that “unlike MS claims, it’s not that easy to notice the ActiveX control when it installs itself. An attacker can open an off-screen window that will silently install OWC without the user knowing.

“This is a fundamental problem in the patch and it renders it quite useless,” GreyMagic said.

An attacker could reinstall the vulnerable OWC ActiveX control on a user’s system by sending an HTML e-mail message or luring the user to a specially crafted Web page, Microsoft said in its bulletin.

Thor Larholm, a security researcher at PivX Solutions LLC, said Microsoft took its time to plug the OWC holes and said the vulnerable ActiveX control should have been disabled.

“This one sure took a long time to patch, despite the public awareness that was raised,” he said. “Microsoft forgot to set the ‘Kill Bit’ on the component, so a malicious programmer can reinstall the old and vulnerable OWC automatically when a user visits his Web page.”

Microsoft in its bulletin said it can’t set the Kill Bit because Office and other applications used to write Web pages refer to the ActiveX control in question. If the Kill Bit were set, many Web pages would no longer function, according to Microsoft. The company is working on a new technique to set the Kill Bit without forcing users to redo the Web pages calling the ActiveX control.

Affected are OWC 2000 and OWC 2002. This software is shipped with Microsoft’s BackOffice Server 2000, BizTalk Server 2000, BizTalk Server 2002, Commerce Server 2000, Commerce Server 2002, Internet Security and Acceleration Server 2000, Money 2002, Money 2003, Office 2000, Office XP, Project 2002, Project Server 2002 and Small Business Server 2000, according to Microsoft.

Patches to eliminate the vulnerabilities are available. Microsoft advises Office XP users to install Office XP Service Pack 2 instead of the general patch. Users can also download and install the updated OWC software from Microsoft’s Web site instead of patching. OWC is about 7MB in size.

More information can be found in Microsoft’s security bulletin MS-02-044 at: