Researchers spot first remote code Office 2007 bug
EEye Digital Security said it's found the first Office 2007 remote code vulnerability and has alerted Microsoft's bug team.
The terse warning posted to eEye's Upcoming Advisories site tags Publisher 2007, the desktop and Web publishing program included with some editions of Office, as the flawed application. "A remotely exploitable flaw exists within Publisher 2007 that allows arbitrary code to be executed in the context of the logged in user," the alert read. eEye rated the vulnerability as "high," and reported it to Microsoft a week ago.
"We're still in the back-and-forth with Microsoft [Security Response Center]," said Marc Maiffret, eEye's chief technology officer.
Microsoft confirmed it is working with eEye. "Microsoft is investigating new reports of a possible vulnerability in Publisher 2007, which has been responsibly disclosed to Microsoft [and] will continue to work with eEye to further understand this report," said a Microsoft spokesperson. "[We are] not aware of any attacks attempting to use the reported vulnerability or of customer impact at this time."
Although Maiffret declined to provide details of the vulnerability, he tacitly acknowledged that it was a bug in the Publisher 2007 file format. "Ninety percent of the time, [Office] bugs are in file formats. This is basically the same."
Users of Microsoft's Office productivity suites -- going as far back as Office 2000 and including the more recent Office 2003 -- have confronted a flood of flaws in the last 14 months. During 2006, Microsoft unveiled 13 security updates for Office 2000 and 11 for Office 2003; in the first two months of 2007, it's rolled out four bulletins for Office 2000 and six for Office 2003.
"Microsoft's been talking up Office 2007 as one of the first products that went through the Security Development Lifecycle, and telling everyone how great it would be," said Maiffret. "That's interesting, but this [vulnerability] shows that there still are going to be problems.
"With both Vista and Office 2007, it doesn't seem like Microsoft is really talking about compelling functionality. Instead, they're talking about security," Maiffret said. "That's crazy. The software should already have been secure."
Among the other outstanding alerts listed by eEye is one that affects Windows Vista -- and no other Microsoft operating system -- which was reported to the developer Jan. 19.
Click here for case studies, whitepapers and other useful vendor content 
ARN Panel Sessions: Day 3The last of our panel sessions recorded live at CeBIT 2008. Today, the topic is storage. Data is growing at an enormous rate, so what does the future hold?
Weekly Tech News Update: 21st November 2008Yahoo's CEO says goodbye, Intel introduces a new processor, and robots run wild. All that news and more on this week's World Tech Update
Electronic voting in U.S. electionDoubts about voting machines are lingering in the minds of many Americans as they head to the polls.
When an IT disaster occurs, how handy it would be to push a button and start again as if nothing had happened.
Discover and learn more about CA XOSoft today.
PGP and Ponemon Institute Unveil Inaugural Australian Data Breach Study 2008 20 November, 2008 17:34:00
Symantec Cloud Services Transform Data Centre Operations Through Proactive Management 20 November, 2008 12:06:00
Verizon Business Offers Tips to Building a Successful Unified Communications and Collaboration Plan 20 November, 2008 12:04:00
NetApp Named 2008 Citrix Ready Solution of the Year by Citrix Systems 20 November, 2008 11:33:00
Extreme Networks Ethernet Transport lowers total cost of ownership for carrier metro networks 20 November, 2008 10:21:00
Bankstown Council streamlines their IT with Microsoft® Windows Server® 2008
Deciding it was time for more streamlined operations, Bankstown Council teamed up with OSS Infotech, a Microsoft Gold Certified Partner. The solution included Microsoft Windows Server, Microsoft SQL Server® and Microsoft Exchange®.
Buying Guides
Latest Products
Buying Guides
