Network News

X My Profile
View More Activity

Microsoft: Newly Discovered MS Office/IE Flaw

For the second time in a week, Microsoft is warning that criminals are exploiting a previously unknown security hole in its software to break into Windows computers. The company has released a stopgap fix to help protect users until an official software update is available.

The problem stems from yet another insecure ActiveX component, this time one made to manage Excel spreadsheets between Internet Explorer and various Microsoft Office products.

In an advisory released today, Microsoft said it is aware of attacks exploiting this vulnerability, which is the sort that could give criminals complete control over a vulnerable Windows PC merely by tricking users into visiting a booby-trapped Web site with IE (yes, this means if you use Windows but consistently use a non-IE browser to surf the Web and open e-mail links, then you have little to worry about from this flaw).

According to Microsoft, your system is vulnerable if you have one or more of the following applications installed:

Microsoft Office XP Service Pack 3
Microsoft Office 2003 Service Pack 3
Microsoft Office XP Web Components Service Pack 3
Microsoft Office Web Components 2003 Service Pack 3
Microsoft Office 2003 Web Components for the 2007
Microsoft Office system Service Pack 1
Microsoft Internet Security and Acceleration Server 2004 Standard Edition Service Pack 3, Microsoft Internet Security and Acceleration Server 2004 Enterprise Edition Service Pack 3, Microsoft Internet Security and Acceleration Server 2006
Internet Security and Acceleration Server 2006 Supportability Update
Microsoft Internet Security and Acceleration Server 2006 Service Pack 1
Microsoft Office Small Business Accounting 2006

Affected users can grab an interim fix from Redmond that disables the vulnerable component, by visiting this link, clicking the "Fix It" icon under "Enable workaround," and following the installation prompts from there. Microsoft says it is working on an official patch to plug the flaw.

Normally when Microsoft warns of these types of flaws they say they are aware of "limited attacks," but in this case, the company, which is known for carefully wording its advisories, seems to have left that phrase out of its notice. It's not clear at the moment whether that means there are a large number of sites exploiting this flaw, or whether this is something of a policy shift for the company going forward aimed at not trying to downplay the severity of unpatched threats. The last time Microsoft pushed out an alert about a previously unknown security hole (last week), it used the "limited attacks" language. Shortly after that advisory was released, an advisory from the SANS Internet Storm Center suggested the scope of attacks was anything but limited, noting that thousands of Web sites were using the vulnerability to install rogue software on visitor PCs.

Anti-virus vendor Sophos says it has received reports of several Web sites, mostly hosted in China that serve the exploit as a part of a web exploit kit that downloads rogue software.

Update, July 14, 11:47 a.m. ET: SANS is keeping a running tally of the Web sites that have been found to be exploiting this new ActiveX vulnerability, or at least forwarding visitors on to sites that exploit it. So far, there are more than 200 Web sites on the list, which appears to be growing quickly.

By Brian Krebs  |  July 13, 2009; 1:45 PM ET
Categories:  Latest Warnings , New Patches , Safety Tips  | Tags: activex, internet explorer, microsoft 0day  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   StumbleUpon   Technorati   Google Buzz   Previous: PCs Used in Korean DDoS Attacks May Self Destruct
Next: Stopgap Fix for Critical Firefox 3.5 Security Hole


Does using IE8 (rather than IE6 or IE7) protect userss from this one?

Posted by: jesseruderman | July 13, 2009 4:12 PM | Report abuse

You can bet if IE8 was immune they'd just tell everyone to upgrade.

Posted by: bobgbv | July 13, 2009 5:59 PM | Report abuse

IE8 is about as big a pain as a virus. The pertinent point is that if you use a non-IE browser this is not a big issue. Firefox has its own issues, but not like this.

Posted by: Tojo1 | July 13, 2009 6:20 PM | Report abuse

I use Firefox under DropMyRights but I went ahead and applied the killbit as I have to have IE8 on the machine in order to do unscheduled checks of MS. I never use it for anything else, but it worries me to have to have it anyway.

Posted by: Eremita1 | July 13, 2009 9:17 PM | Report abuse

Normally Microsoft requires the use of IE to download this kind of stuff.

I am happy to say, that this time I used Firefox without any complaint from the site.

Posted by: | July 14, 2009 2:19 AM | Report abuse

Bruce, I'm confused about using an alternate browser for MS Update, in my case Opera. Normally I go to get my monthly patches with Opera via Control Panel which fires up IE. Then there are the usual checks to see if I am legit and have the necessary ActiveX SW.

How does this work with other browsers?

Posted by: Bartolo1 | July 14, 2009 6:57 AM | Report abuse

@bartolo -- this is not an official "patch" like the ones Microsoft will release today (patch Tuesday). this is a registry fix, and when you click the above mentioned link to the "Fix It" solution, you'll be prompted to download and run a file that makes a registry change. The file can be downloaded with whatever browser you want.

Posted by: BTKrebs | July 14, 2009 8:30 AM | Report abuse

Readers of Brian's indispensable blog may want to recall that there are excellent alternatives to Microsoft's Office Suite out there, in particular ( ), which can be downloaded and installed at no cost, and which doesn't seem to entail the level of vulnerability inherent in the former product....


Posted by: mhenriday | July 14, 2009 9:11 AM | Report abuse


The SANS post you quoted in reference to "thousands of web sites" was referring to a different defect.

Posted by: gary29 | July 14, 2009 11:04 AM | Report abuse

Bartolo's question is a good one, though: Is there a way to get Microsoft updates without setting one's PC to download/install them automatically, without having to fire up IE?

Posted by: Heron | July 14, 2009 11:04 AM | Report abuse

@Gary -- Yes, I understand that. And what I wrote states that I was talking about the penultimate time Microsoft released an advisory (I even link to last week's post). What about that was confusing to you?

Posted by: BTKrebs | July 14, 2009 11:46 AM | Report abuse

IE8 is about as big a pain as a virus. The pertinent point is that if you use a non-IE browser this is not a big issue. Firefox has its own issues, but not like this.

Posted by: Tojo1 | July 13, 2009 6:20 PM |

I don't know exactly what you meant by "not like this", but firefox, like every piece of software, is vulnerable to these things too. The exploit will frequently be different from one piece of software to another, but none are without vulnerability.


Posted by: lostinthemiddle | July 14, 2009 12:30 PM | Report abuse

Brian, I tried the link you provide to the workaround, got some "Silverlight error" box on screen, and some generic Microsoft security advisory page. ??

Posted by: dcarpenter14 | July 14, 2009 3:02 PM | Report abuse

@Dcarpenter14 -- Microsoft is a little confused today in shipping patches on Patch Tuesday. They claim in one statement to have fixed this flaw with an official patch, but that is not the case, from what I can tell looking at today's advisories. Someone seems to think they fixed this with MS09-32, but that patch addresses another ActiveX problem, not this one. Alas, they have errantly removed the FixIt tool.

I have asked Microsoft where the "Fix It" icon/instructions have gone and when they'll be put back. Will let you know when/if I get a response.

Posted by: BTKrebs | July 14, 2009 3:20 PM | Report abuse

What about open office format documents?

Posted by: bpuharic | July 14, 2009 8:06 PM | Report abuse

This issue was discussed today at our company's weekly IT meeting. As I understand it, Vista PCs are not affected; can someone confirm?

Posted by: gbooksdc | July 14, 2009 9:09 PM | Report abuse

@Gbooksdc- there isn't even a mention of Vista in the advisory from Microsoft, and they tend to mention that stuff when whole operating systems aren't affected, so I would say there is no support for a claim that Vista is unaffected by this.

Posted by: BTKrebs | July 15, 2009 9:09 AM | Report abuse

Just another ActiveX exploit involving Internet Explorer. Such vulnerabilities are often exploited via drive-by download attacks. With the recent flurry of exploits via Internet Explorer and Firefox afoot, I wrote a blog post that points out how limited user accounts (LUA) do NOT protect a computer from drive-by download attacks:

BTW, I believe I explain all of the terms I use.

Posted by: eiverson1 | July 15, 2009 2:43 PM | Report abuse

The comments to this entry are closed.

RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company