Microsoft warns of vulnerability in Office as it claims that exploits have already been detected
It has revealed that the vulnerability could allow remote code execution, as when using Internet Explorer, code execution is remote and may not require any user intervention.
Microsoft claimed that it is ‘aware of attacks attempting to exploit the vulnerability'. The company stated that it is "working to develop a security update for all affected software listed in the Overview section to address this vulnerability and will release the update when it has reached an appropriate level of quality for broad distribution."
The security advisory claimed that in a web-based attack scenario, an attacker could host a website that contains a web page that is used to exploit this vulnerability. In addition, compromised websites and websites that accept or host user-provided content or advertisements could contain specially crafted content that could exploit this vulnerability.
Although an attacker would have no way to force users to visit these websites, they could persuade users to visit the website by getting them to click a link in an email message or Instant Messenger message that takes users to the attacker's website.
Wolfgang Kandek, CTO at Qualys, claimed that the last couple of weeks had been ‘interesting' for anybody following Microsoft Security with two major vulnerabilities exposed.
Kandek said: “Browsing websites that have exploit code embedded with Internet Explorer is the main attack vector, which will certainly fuel the discussion around the use of alternative browsers. Microsoft has quickly provided easy to use workarounds for both vulnerabilities via their Fixit program, but it is not clear why they have waited for over a year to provide a fix to the underlying coding problems which they were notified of in Spring of 2008.”
Meanwhile Andrew Clarke, senior vice president, international at Lumension, claimed that a break in the update and the release of a workaround, signals how significant the vulnerability is.
Clarke said: “Microsoft has labelled this exploit as ‘critical', as users that run Internet Explorer as their default browser are at risk of handing over unauthorised control of their endpoint to criminals.
“Given that Microsoft has warned that hackers are already exploiting the bug, means IT managers will need to race against the clock to take action before the hackers do. As the advisory is not expected to be resolved with content in today's Patch Tuesday, IT managers will be dependent on their security providers to advise them on implementing the workaround.”