We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message
80,259 News Articles

Microsoft working on patch for new zero-day vulnerability

Flaw affects Office Web Components

Microsoft has revealed it is working on a patch for a zero-day vulnerability in its Office Web Components, which are used for publishing spreadsheets, charts and databases to the web.

The company did not indicate when the patch would be released.

"Specifically, the vulnerability exists in the Spreadsheet ActiveX control and while we've only seen limited attacks, if exploited successfully, an attacker could gain the same user rights as the local user," said Dave Forstrom, a group manager who is part of Microsoft's Security Response Center, in a blog.

An ActiveX control is a small add-on program that works in a web browser to facilitate functions such as downloading programs or security updates. Over the years, however, the controls have been prone to vulnerabilities.

The new flaw comes as the company prepares to release its monthly patches, including one for another zero-day vulnerability revealed earlier this month. That problem lies with the Video ActiveX control within Internet Explorer.

Microsoft said that the flaw could allow an attacker to execute code remotely on a machine if someone using Internet Explorer visits a malicious website, a hacking technique known as a drive-by download

"In all cases, however, an attacker would have no way to force users to visit these web sites," Microsoft said in advisory.

"Instead, an attacker would have to persuade users to visit the website, typically by getting them to click a link in an email message or Instant Messenger message that takes users to the attacker's website."

Microsoft has issued a list of affected software, which includes Office XP Service Pack 3, 2003 Service Pack 3, several versions of Internet Security and Acceleration Server and Office Small Business Accounting 2006, among others.

Until a patch is ready, Microsoft said one option for administrators is to disable Office Web Components from running in Internet Explorer and has provided instructions on how to implement this.

Download FREE whitepapers:

Ten tips on security

Make sure your network is secure

Take part in PC Advisor's Broadband Survey 2009

PC security advice

See also: 'Conficker 2' IE bug will spread quickly


IDG UK Sites

Best Black Friday 2014 tech deals: Get bargains on smartphones, tablets, laptops and more

IDG UK Sites

What the Internet of Things will look like in 2015: homes will get smarter, people might get fitter

IDG UK Sites

See how Trunk's animated ad helped Ade Edmondson plug The Car Buying Service

IDG UK Sites

Yosemite tips for beginners: Complete Guide to OS X Yosemite