Microsoft on Wednesday published a bulletin warning of three security vulnerabilities in Office Web Components (OWC), software used to give users limited Office functionality in a Web browser. The most serious of the vulnerabilities could enable an attacker to execute commands on a user's system.

OWC is a series of Active X controls that enable users to view and, to some extent, manipulate Office applications via a Web browser, without having to install the full Office application. The vulnerabilities cited by Microsoft exist in three OWC functions: Host, Load Text and Copy/Paste.

The Host vulnerability is the most serious. By design, the function provides access to application object models on the user's system. The vulnerability would enable an attacker to open an Office application on the user's system and take any action that the user could take, Microsoft's security bulletin says. That includes loading and running programs, altering data and changing security settings.

The other two vulnerabilities enable attackers to read data from the victim's system. In the case of the Load Text vulnerability, the attacker would have to know the path and name of the file before being able to access it. The Copy/Paste vulnerability enables attackers to view only data that happens to be in the user's clipboard.

Microsoft also noted that, to take advantage of any of the vulnerabilities via the Web, an attacker would have to entice the user to visit another Web site where code that invokes the attack method exists. Alternatively, the attacker could send the attack code via email as an HTML page, although mail clients that disallow Active X controls would foil that strategy.

The vulnerabilities affect Microsoft OWC 2000 and OWC 2002. Microsoft products that include the affected software are: BackOffice Server 2000, BizTalk Server 2000 and 2002, Commerce Server 2000 and 2002, Internet Security and Acceleration Server 2000, Money 2002 and 2003, Office 2000 and Office XP, Project 2002 and Project Server 2002, and Small Business Server 2000. OWC is also available as a standalone download.

Microsoft recommends that customers using the affected software apply the appropriate patch immediately. Patch and further information is available in Microsoft Security Bulletin MS02-044, at: www.microsoft.com/technet/security/bulletin/MS02-044.asp.