We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message
80,078 News Articles

First Office 2007 bug found

Researchers spot remote code Office 2007 bug

EEye Digital Security said that it's found the first Office 2007 remote code vulnerability and has alerted Microsoft's bug team.

The terse warning posted to eEye's Upcoming Advisories site tags Publisher 2007, the desktop and web publishing program included with some editions of Office, as the flawed application. "A remotely exploitable flaw exists within Publisher 2007 that allows arbitrary code to be executed in the context of the logged-in user," the alert read. eEye rated the vulnerability as ‘high’, and reported it to Microsoft a week ago.

"We're still in the back-and-forth with Microsoft [Security Response Center]," said Marc Maiffret, eEye's chief technology officer.

Microsoft confirmed it is working with eEye. "Microsoft is investigating new reports of a possible vulnerability in Publisher 2007, which has been responsibly disclosed to Microsoft [and] will continue to work with eEye to further understand this report," said a Microsoft spokesperson. "[We are] not aware of any attacks attempting to use the reported vulnerability or of customer impact at this time."

Although Maiffret declined to provide details of the vulnerability, he tacitly acknowledged that it was a bug in the Publisher 2007 file format. "Ninety percent of the time, [Office] bugs are in file formats. This is basically the same."

Users of Microsoft's Office productivity suites - going as far back as Office 2000 and including the more recent Office 2003 - have confronted a flood of flaws in the last 14 months. During 2006, Microsoft unveiled 13 security updates for Office 2000 and 11 for Office 2003; in the first two months of 2007, it's rolled out four bulletins for Office 2000 and six for Office 2003.

"Microsoft's been talking up Office 2007 as one of the first products that went through the Security Development Lifecycle, and telling everyone how great it would be," said Maiffret. "That's interesting, but this [vulnerability] shows that there still are going to be problems.

"With both Vista and Office 2007, it doesn't seem like Microsoft is really talking about compelling functionality. Instead, they're talking about security," Maiffret said. "That's crazy. The software should already have been secure."

Among the other outstanding alerts listed by eEye is one that affects Windows Vista -- and no other Microsoft operating system - which was reported to the developer 19 January.


IDG UK Sites

Swatch to release its own line of smartwatches to rival iWatch

IDG UK Sites

From the iPhone 6 to the iWatch and a new Apple TV we look at the products Apple is set to launch...

IDG UK Sites

Miranda July's Somebody app offers a very unusual take on messaging

IDG UK Sites

The 7 most ridiculous iPhone 6 rumours: what Apple WON'T reveal on 9 September