Microsoft Corp. warned of three vulnerabilities in software that allow users to view and edit Office documents in a Web browser. The most serious flaw, rated "critical," could give an attacker full control over a user's PC.
All three vulnerabilities exist in the spreadsheet component of Office Web Components (OWC), software that provides limited Office functionality in a Web browser without the need for Office to be installed, Microsoft said Wednesday in a security bulletin announcing a fix for the flaws.
OWC is shipped with various Microsoft products, including Office, and is also available as a separate download.
Microsoft's severity rating for standard computers is "critical," while the vulnerabilities present only a "moderate" risk to Internet and intranet servers, the Redmond, Wash., company said.
The most serious vulnerability lies in the "Host()" function of the spreadsheet OWC component. An attacker could take any action on a PC that the user could by sending a specially-crafted HTML (Hypertext Markup Language) e-mail or luring the user to a Web site containing the special HTML page, Microsoft said.
The other two vulnerabilities lie in the "LoadText()" and "Copy()/Paste()" methods of OWC. These expose files and the clipboard contents on a user's system. To read files, an attacker would have to know the location of the files and the files have to be readable through a Web browser, limiting the scope of the vulnerability, Microsoft said.
That's incorrect, according to security experts at GreyMagic Software, who say they first reported the three vulnerabilities to Microsoft almost five months ago. The "LoadText()" flaw allows an attacker to read any file, they said in an e-mail to the IDG News Service. Microsoft, also informed by GreyMagic, issued a revised security bulletin late Thursday, correcting its first bulletin on this point.
Also, GreyMagic criticized Microsoft for not permanently disabling the associated ActiveX control. ActiveX controls are single purpose computer programs. The so-called "Kill Bit" is not set on the control, which means an attacker could remotely reinstall the vulnerable control. Microsoft acknowledges this, but contends it would be hard to reinstall the vulnerable control without the user noticing because the OWC package is 7MB in size.
GreyMagic disagrees, stating that "unlike MS claims, it's not that easy to notice the ActiveX control when it installs itself. An attacker can open an off-screen window that will silently install OWC without the user knowing.
"This is a fundamental problem in the patch and it renders it quite useless," GreyMagic said.
An attacker could reinstall the vulnerable OWC ActiveX control on a user's system by sending an HTML e-mail message or luring the user to a specially crafted Web page, Microsoft said in its bulletin.