We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message
80,259 News Articles

Two more Office XP flaws

Microsoft plays down yet more software oversights

Two new security flaws in Microsoft's Office XP suite could be combined to allow attackers to take over a system, according to independent security researcher Georgi Guninski.

Guninski highlighted the issues to security email lists and posted them on his website on Monday.

The first vulnerability, which affects Outlook XP, would allow an attacker to embed 's 'active' content in an email, he claims. Active content contains both an object and a script. The content would be executed when the email is forwarded or replied to, wrote Guninski, who has previously uncovered a number of vulnerabilities in Microsoft products. The vulnerability could force a user to visit a web page designated by the attacker, Guninski wrote.

The second security hole, which affects the spreadsheet component of Office XP, can be used in conjunction with the first vulnerability to place executable (.exe) files in a user's start-up directory, which could lead to a takeover of the target machine.

Bulgarian-based Guninski included sample code in his advisory to demonstrate how to exploit both vulnerabilities.

Guninski claims to have notified Microsoft of the bugs on 17 March but the lack of response from Microsoft had triggered him to go public with his concerns. In the past Microsoft has criticised Guninski for releasing his vulnerability data too quickly, calling his actions "irresponsible."

Disabling all 'active' content in Internet Explorer (which is used by parts of Outlook) and fully deleting the spreadsheet component of Office XP will obviate the first threat. Microsoft, which says it is investigating the Outlook vulnerability, acknowledged there was a problem and recommended disabling HTML (hypertext markup language) email and not selecting Microsoft Word as the email editor.

Microsoft said it does "not as yet have a workaround for the second issue, but that even in the worst case it could only be used to create files and not to execute them or take any other action on the user's computer."

"We are concerned that this report has gone public before we've had a fair chance to investigate it," Microsoft said in its statement. "Its publication may put our customers at risk or at the very least cause customers needless confusion and apprehension. Responsible security researchers work with the vendor of a suspected vulnerability issue to ensure that countermeasures are developed before the issue is made public and customers are needlessly put at risk."

IDG UK Sites

Acer Aspire R11 review: Hands-on with the 360 laptop and tablet convertible

IDG UK Sites

Apple Watch release day: Twitter reacts

IDG UK Sites

See how Framestore created a shape-shifting, oil and metal based creature for Shell

IDG UK Sites

Apple Watch buying guide, price list & where to buy today: Which Apple Watch model, size, material,?......