Security Warning For Microsoft Office Web Components
Microsoft warns there are three security vulnerabilities in Office Web Components -- software used to give users limited Office functionality in a Web browser -- the most serious of which could enable an attacker to execute commands on a user's system.
OWC is a series of Active X controls that enable users to view and, to some extent, manipulate Office applications via a Web browser, without having to install the full Office application. The vulnerabilities cited by Microsoft exist in three OWC functions: Host, Load Text and Copy/Paste.
The Host vulnerability is the most serious. By design, the function provides access to application object models on the user's system. The vulnerability would enable an attacker to open an Office application on the user's system and take any action that the user could take, Microsoft's security bulletin says. That includes loading and running programs, altering data and changing security settings.
The other two vulnerabilities enable attackers to read data from the victim's system. In the case of the Load Text vulnerability, the attacker would have to know the path and name of the file before being able to access it. The Copy/Paste vulnerability enables attackers to view only data that happens to be in the user's clipboard.
The vulnerabilities affect Microsoft OWC 2000 and OWC 2002. Microsoft products that include the affected software are: BackOffice Server 2000, BizTalk Server 2000 and 2002, Commerce Server 2000 and 2002, Internet Security and Acceleration Server 2000, Money 2002 and 2003, Office 2000 and Office XP, Project 2002 and Project Server 2002, and Small Business Server 2000. OWC is also available as a standalone download.
Microsoft recommends that customers using the affected software apply the appropriate patch immediately. Patch and further information is available in Microsoft Security Bulletin MS02-044, at: www.microsoft.com/technet/security/bulletin/MS02-044.asp.