Two new security flaws in Microsoft's Office XP suite could be combined to allow attackers to take over a system, according to independent security researcher Georgi Guninski.
Microsoft plays down yet more software oversights
Guninski highlighted the issues to security email lists and posted them on his website on Monday.
The first vulnerability, which affects Outlook XP, would allow an attacker to embed 's 'active' content in an email, he claims. Active content contains both an object and a script. The content would be executed when the email is forwarded or replied to, wrote Guninski, who has previously uncovered a number of vulnerabilities in Microsoft products. The vulnerability could force a user to visit a web page designated by the attacker, Guninski wrote.
The second security hole, which affects the spreadsheet component of Office XP, can be used in conjunction with the first vulnerability to place executable (.exe) files in a user's start-up directory, which could lead to a takeover of the target machine.
Bulgarian-based Guninski included sample code in his advisory to demonstrate how to exploit both vulnerabilities.
Guninski claims to have notified Microsoft of the bugs on 17 March but the lack of response from Microsoft had triggered him to go public with his concerns. In the past Microsoft has criticised Guninski for releasing his vulnerability data too quickly, calling his actions "irresponsible."
Disabling all 'active' content in Internet Explorer (which is used by parts of Outlook) and fully deleting the spreadsheet component of Office XP will obviate the first threat. Microsoft, which says it is investigating the Outlook vulnerability, acknowledged there was a problem and recommended disabling HTML (hypertext markup language) email and not selecting Microsoft Word as the email editor.
Microsoft said it does "not as yet have a workaround for the second issue, but that even in the worst case it could only be used to create files and not to execute them or take any other action on the user's computer."
"We are concerned that this report has gone public before we've had a fair chance to investigate it," Microsoft said in its statement. "Its publication may put our customers at risk or at the very least cause customers needless confusion and apprehension. Responsible security researchers work with the vendor of a suspected vulnerability issue to ensure that countermeasures are developed before the issue is made public and customers are needlessly put at risk."