MS First Look: Word 2007 Not Bitten by Bugs

April 12, 2007
Microsoft Office Logo

Microsoft says it is still investigating reports of posted security holes, but it has found no evidence that the Office 2007 suite is vulnerable to the reported flaws.

Microsoft says a preliminary investigation into reports of vulnerabilities in its Office 2007 suite has produced no evidence of a threat to users.

Reports of new security holes in MS Office have been made public on known exploit sites, including information about four bugs posted on one site. Microsoft has not released specific information about the vulnerabilities, citing potential risk to users.

"Microsoft's initial investigation has found that none of these claims demonstrate any vulnerability in Word 2007 or any Office 2007 products," a company spokesperson said April 11. "Our investigation into the possible impact of these claims on other versions of Microsoft Office is continuing."

The reported flaws were uncovered by Mati Aharoni of Offensive-Security.com, in Israel. He said he was not searching for vulnerabilities in Word, but stumbled upon them while developing Offensive-Security.com course materials.

"I ran a character substitution script on several Windows file formats and was left dazed by the results," he said. "The vulnerabilities I released to the public were the least dangerous of my findings - most resulted in DOS only - actually getting code to execute via these bugs is highly improbable."

Two of these documents show how Word 2007 could trigger a "CPU exhaustion." A third vulnerability, also concerning Word 2007, could supposedly allow remote code execution. The fourth alleged vulnerability, which concerns the ".hlp" extension for Windows help files, could cause a heap overflow condition.

Aharoni said he has received several messages from others confirming that the bugs crashed Word 2007. He posted screenshots of the crashes or CPU exhaustion conditions on his blog, and expressed confusion as to why Microsoft seems unable to reproduce the conditions.

Through the company spokesperson, Microsoft stated the company may issue a security advisory or update if it is deemed necessary.

Karthik Raman, a researcher at McAfee, in Santa Clara, Calif., wrote in a blog post April 10 that the timing of publicizing of the potential vulnerabilities on exploit sites may not be coincidental. "This is yet another time that zero-day flaws have been published around a Patch Tuesday, possibly to maximize the public's exposure to these flaws until the next month's Patch Tuesday," Raman wrote.

Andrew Storms, director of security operations at nCircle, in San Francisco, said the issue of responsible disclosure is a never-ending debate within the security space. He advocates responsible disclosure, defined as reporting a vulnerability to a vendor first and allowing the company a chance to fix it.

"It comes down to the question, Does responsible disclosure to the vendor deliver a better product? Does it force the vendor to fix it more quickly?" he said.

Aharoni said he has little patience for the formal disclosure process after having had disappointing experiences with it in the past.

"Microsoft has made huge leaps in security in the past years and I appreciate that," he said. However, he said, "As a Microsoft customer, I would like to see bugs patched quicker."

Copyright 2007 by Ziff Davis Media, Distributed by United Press International


Rank 3 /5 (1 vote)
Tags

Related Stories
Relevant PhysicsForums posts
  • Need help reading 3-D
    created3 hours ago
  • A way to send and receive wireless data
    created9 hours ago
  • Tabletop Cold Fusion Reactor
    created10 hours ago
  • Calling function with no input argument
    createdFeb 10, 2012
  • Force free body diagram problem on gym equipment
    createdFeb 10, 2012
  • Empirical data regarding shower heads and water
    createdFeb 10, 2012
  • More from Physics Forums - General Engineering

More news stories

Walney offshore wind farm is world's biggest (for now)

(PhysOrg.com) -- The Walney wind farm on the Irish Sea--characterized by high tides, waves and windy weather--officially opened this week. The farm is treated in the press as a very big deal as the Walney ...

Technology / Energy & Green Tech

created 12 hours ago | popularity 3.9 / 5 (10) | comments 28 | with audio podcast weblog

GPS court ruling leaves US phone tracking unclear

A US Supreme Court decision requiring a warrant to place a GPS device on the car of a criminal suspect leaves unresolved the bigger issue of police tracking using mobile phones, legal experts say.

Technology / Telecom

created 12 hours ago | popularity 4 / 5 (2) | comments 0

Europeans protest controversial Internet pact

Tens of thousands of people marched in protests in more than a dozen European cities Saturday against a controversial anti-online piracy pact that critics say could curtail Internet freedom.

Technology / Internet

created 8 hours ago | popularity 5 / 5 (5) | comments 0

Netflix settlement trims 14 pct off 4Q earnings

(AP) -- Netflix pressed the rewind button on its fourth-quarter earnings after settling allegations that the video subscription service violated a consumer-privacy law.

Technology / Business

created 12 hours ago | popularity not rated yet | comments 0

Navy to begin tests on electromagnetic railgun prototype launcher

The Office of Naval Research (ONR)'s Electromagnetic (EM) Railgun program will take an important step forward in the coming weeks when the first industry railgun prototype launcher is tested at a facility ...

Technology / Engineering

created Feb 06, 2012 | popularity 4.7 / 5 (15) | comments 90 | with audio podcast


Europe stakes billion-dollar bet on new rocket

A pencil-slim rocket is scheduled to lift into space from South America on Monday, carrying a billion-dollar bet that Europe can grab a juicy slice of the market to place satellites in low orbit.

Study finds that anti-diabetic medication can prevent the long-term effects of maternal obesity

In a study to be presented today at the Society for Maternal-Fetal Medicine's annual meeting, The Pregnancy Meeting, in Dallas, Texas, researchers will report findings that show that short therapy with the anti-diabetic medication ...

Steroid injections prove effective in treatment of lumbar disc herniations

The use of epidural steroid injections may be a more efficient treatment option for lumbar disc herniations, according to research presented today at the American Orthopaedic Society for Sports Medicine's Specialty Day in ...

Amateur football players not always keen on returning to play after ACL injuries

Despite the known success rates of reconstructive Anterior Cruciate Ligament (ACL) surgery, the number of high school and collegiate football players returning to play may not be as high as anticipated, say researchers presenting ...

Study finds elevated levels of cell-free DNA in first trimester do not predict preeclampsia

In a study to be presented today at the Society for Maternal-Fetal Medicine's annual meeting, The Pregnancy Meeting, in Dallas, Texas, researchers will report findings that indicate that elevated levels of cell-free DNA in ...

PRP treatment aids healing of elbow injuries say researchers

As elbow injuries continue to rise, especially in pitchers, procedures to help treat and get players back in the game quickly have been difficult to come by. However, a newer treatment called platelet rich plasma (PRP) may ...