We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message
80,259 News Articles

Microsoft working on patch for new zero-day vulnerability

Flaw affects Office Web Components

Microsoft has revealed it is working on a patch for a zero-day vulnerability in its Office Web Components, which are used for publishing spreadsheets, charts and databases to the web.

The company did not indicate when the patch would be released.

"Specifically, the vulnerability exists in the Spreadsheet ActiveX control and while we've only seen limited attacks, if exploited successfully, an attacker could gain the same user rights as the local user," said Dave Forstrom, a group manager who is part of Microsoft's Security Response Center, in a blog.

An ActiveX control is a small add-on program that works in a web browser to facilitate functions such as downloading programs or security updates. Over the years, however, the controls have been prone to vulnerabilities.

The new flaw comes as the company prepares to release its monthly patches, including one for another zero-day vulnerability revealed earlier this month. That problem lies with the Video ActiveX control within Internet Explorer.

Microsoft said that the flaw could allow an attacker to execute code remotely on a machine if someone using Internet Explorer visits a malicious website, a hacking technique known as a drive-by download

"In all cases, however, an attacker would have no way to force users to visit these web sites," Microsoft said in advisory.

"Instead, an attacker would have to persuade users to visit the website, typically by getting them to click a link in an email message or Instant Messenger message that takes users to the attacker's website."

Microsoft has issued a list of affected software, which includes Office XP Service Pack 3, 2003 Service Pack 3, several versions of Internet Security and Acceleration Server and Office Small Business Accounting 2006, among others.

Until a patch is ready, Microsoft said one option for administrators is to disable Office Web Components from running in Internet Explorer and has provided instructions on how to implement this.

Download FREE whitepapers:

Ten tips on security

Make sure your network is secure

Take part in PC Advisor's Broadband Survey 2009

PC security advice

See also: 'Conficker 2' IE bug will spread quickly


IDG UK Sites

Best Christmas 2014 UK tech deals, Boxing Day 2014 UK tech deals & January sales 2015 UK tech...

IDG UK Sites

LED vs Halogen: Why now could be the right time to invest in LED bulbs

IDG UK Sites

Christmas' best ads: See great festive spots studios have created to promote themselves and clients

IDG UK Sites

Why Apple shouldn't be blamed for exploitation in China and Indonesia