Stephen Withers
Tuesday, 14 July 2009 07:52
Business IT -
Security
Page 1 of 2
Another ActiveX control is under attack. This time it is one installed alongside Office and several other Microsoft products.
A vulnerability in the Spreadsheet ActiveX control - part of Microsoft Office Web Components - can be remotely exploited to gain the same rights as the local user, Microsoft officials have warned.
According to a Microsoft statement, "Products affected are Microsoft Office XP Service Pack 3, Microsoft Office 2003 Service Pack 3, Microsoft Office XP Web Components Service Pack 3, Microsoft Office Web Components 2003 Service Pack 3, Microsoft Office 2003 Web Components for the 2007 Microsoft Office System Service Pack 1, Microsoft Internet Security and Acceleration Server 2004 Standard Edition Service Pack 3, Microsoft Internet Security and Acceleration Server 2004 Enterprise Edition Service Pack 3, Microsoft Internet Security and Acceleration Server 2006, Internet Security and Acceleration Server 2006 Supportability Update, Microsoft Internet Security and Acceleration Server 2006 Service Pack 1, Microsoft Office Small Business Accounting 2006."
A simpler list published elsewhere by Microsoft contains Office XP/2003/2007, BizTalk, ISA Server, and Office Accounting and Business Contact Manager. Office Web Components can also be installed separately.
A temporary fix is to apply a kill-bit to the control. This can be done automatically by using the wizard provided on Microsoft's
Help and Support site, but administrators are likely to turn to other tools to deploy the kill-bit across their fleets.
The kill-bit only prevents the control being used from Internet Explorer. The control has been depreciated for some time, so it is relatively unlikely to be used by current software.
Microsoft is investigating the vulnerability, and is working on a security update that will be released at an unspecified time.
The vulnerability is being exploited - please
read on.
LATEST HEADLINES FROM YOUR IT
