HomeNetworking

Security Warning For Microsoft Office Web Components

Small Business Computing Staff
By Small Business Computing Staff

By Paul Desmond

Microsoft recently published a bulletin warning of three security vulnerabilities in Office Web Components (OWC), software used to give users limited Office functionality in a Web browser. The most serious of the vulnerabilities could enable an attacker to execute commands on a user’s system.

OWC is a series of Active X controls that enable users to view and, to some extent, manipulate Office applications via a Web browser, without having to install the full Office application. The vulnerabilities cited by Microsoft exist in three OWC functions: Host, Load Text and Copy/Paste.

The Host vulnerability is the most serious. By design, the function provides access to application object models on the user’s system. The vulnerability would enable an attacker to open an Office application on the user’s system and take any action that the user could take, Microsoft’s security bulletin says. That includes loading and running programs, altering data and changing security settings.

The other two vulnerabilities enable attackers to read data from the victim’s system. In the case of the Load Text vulnerability, the attacker would have to know the path and name of the file before being able to access it. The Copy/Paste vulnerability enables attackers to view only data that happens to be in the user’s clipboard.

Microsoft also noted that, to take advantage of any of the vulnerabilities via the Web, an attacker would have to entice the user to visit another Web site where code that invokes the attack method exists. Alternatively, the attacker could send the attack code via email as an HTML page, although mail clients that disallow Active X controls would foil that strategy.

The vulnerabilities affect Microsoft OWC 2000 and OWC 2002. Microsoft products that include the affected software are: BackOffice Server 2000, BizTalk Server 2000 and 2002, Commerce Server 2000 and 2002, Internet Security and Acceleration Server 2000, Money 2002 and 2003, Office 2000 and Office XP, Project 2002 and Project Server 2002, and Small Business Server 2000. OWC is also available as a standalone download.

Microsoft recommends that customers using the affected software apply the appropriate patch immediately. Patch and further information is available in Microsoft Security Bulletin MS02-044, at: www.microsoft.com/technet/security/bulletin/MS02-044.asp.

Reprinted from esecurityplanet.com.

Small Business Computing Staff
Small Business Computing Staff
Small Business Computing addresses the technology needs of small businesses, which are defined as businesses with fewer than 500 employees and/or less than $7 million in annual sales.
Previous article
First Look: Symantec’s Norton Systemworks 2003
Next article
Changes Loom for Novell’s Groupwise & Netmail

Related Articles

Must Read

Get the Free Newsletter!

Subscribe to Daily Tech Insider for top news, trends, and analysis.

Small Business Computing addresses the technology needs of small businesses, which are defined as businesses with fewer than 500 employees and/or less than $7 million in annual sales. To address the needs of these small businesses, Small Business Computing offers detailed coverage of cost-effective technology solutions, including lists of top vendors, product comparisons, and how-to guides that offer specific tools to help solve issues.

Advertisers

Advertise with TechnologyAdvice on Small Business Computing and our other IT-focused platforms.

Advertise with Us

Menu

Our Brands

Property of TechnologyAdvice.
© 2024 TechnologyAdvice. All Rights Reserved

Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.