eEye spies first MS Office 2007 remote exploit

eEye spies first MS Office 2007 remote exploit

Summary: Security researchers at eEye Digital Security have found what is believed to be the first remotely exploitable vulnerability in a Microsoft Office 2007 application.

Security researchers at eEye Digital Security have found what is believed to be the first remotely exploitable vulnerability in a Microsoft Office 2007 application.

In a bare bones alert posted to its Upcoming Advisories page, eEye said he flaw exists within Publisher 2007 and can allow arbitrary code execution in the context of the logged in user.

eEye's chief hacking officer Marc Maiffret said minimal user action is required to trigger the vulnerability.

Publisher 2007 is used mostly by businesses to create, design and publish professional-looking marketing material for print, e-mail and the Web.

A spokesman for the MSRC (Microsoft Security Response Center) confirmed receipt of eEye's discovery. "[We] will continue to work with eEye to further understand this report as part of our standard MSRC investigation process and will provide additional guidance for customers as necessary," he said.

Maiffret said the two companies are going through the "standard back-and-forth" information sharing process. "It always takes a few days to nail down the extent of the bug and understand the severity," he said. In the meantime, eEye has slapped a "high risk" rating on the vulnerability.

If confirmed by Microsoft, it would be the first major hole in the Office 2007 line, which went through the company's rigorous SDL (Security Development Lifecycle) process. But, although Microsoft's SDL is a significant investment in product security, Maiffret said it's no surprise to find remotely exploitable issues because of the large attack surface presented by the desktop productivity suite.

Since the end of the worm era (the last major network worm was Slammer in 2004), attackers researchers have shifted the focus to client side vulnerabilities and Microsoft Office has not held up well to scrutiny.

The statistics tell the entire story. In 2005, Microsoft shipped 2 bulletins with patches for Office 2003 flaws. In 2006, that number skyrocketed to 12 bulletins. In the first two months of 2007, Redmond has already released 6 bulletins, covering multiple bugs affecting Word, Excel and PowerPoint.

"Everytime Word or Excel crashes, that's an error that could be a security hole. Once Windows XP SP2 closed the door on worms, it became natural to look for file format issues. Microsoft Office is the perfect target for that," Maiffret explained.

Despite the evidence, there's a general feeling in security research circles that Windows Vista will provide some salvation from the Office bugs.

Thomas Dullien, a.k.a Halvar Flake, CEO and head of research at Sabre Security, believes the inclusion of ASLR (address space layout randomization) in Vista will make client side exploits of Microsoft Office file format parsing bugs a lot harder.

Because ASLR randomly arrange the positions of key data areas to block hackers from predicting target addresses, Dullien wrote on the Daily Dave mailing list that client-side bugs in Vista will be near impossible to reliably exploit.

"Client-side bugs in MSOffice are approaching their expiration date. Not quickly, as most customers will not switch to Vista immediately, but they are showing the first brown spots, and will at some point start to smell," he said.

This most likely explains why zero-day Office exploits are being fired with alarming regularity.

Topics: Security, Microsoft, Windows

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Marc is the man!

    I've met Marc a few times and if he says there is a vulnerability, there is a vulnerability. He's never been out for praise or recognition. He genuinely wants to see things more secure. We need more corporate execs like him.
  • I am downplaying this...

    Our Chief Security Officer started berating me for this. I immediately stuck my hand in his face and said "Talk to the hand". I then called my rep and received the latest Powerpoint slides about "secure by design" and "trustwortht computing". My rep then came by and paid a "surprise" visit to our company, bringing donuts and bagels. My rep then told my CSO that Adobe is less secure than Microsoft and produced Microsoft "facts" to back it up. When my CSO mentioned some other companies using UNIX and Adobe for their desktop platform had no security issues, my rep calmly said that the Microsoft value-add was "better together" and that the "people ready business" was more important. I then ran around with my "The WOW starts NOW" Vista shirt and accidentally ran into the CSO and threw him to the floor.
    Mike Cox
    • Hey! What about the lunch? 9.5!

      Grayson Peddie
  • I am moving quickly

    to get my team of Publisher web engineers to find the best work around practices. I have only the best Publisher web site builders/engineers in the world. This is the premier web building tool in the world and it's all we use. This is creating a huge stir and zdnet's post with it's large amount of detail on how the vulnerability is exploited has helped my team immensely.
    Once we are all on Vista and client side bugs are also history, we'll be able to go back to our normal high end Publisher web designs. Look out Google!
    For the tiny fraction of you that currently don't use Publisher as your main web building tool, please visit immediately and find the Publisher power that defines world wide web.
    • re: I am moving quickly

      BZZZZZZZT! Only a 5.2 for you. No donuts and bagels means a lower score.

      Not to mention, no lunch, :)
      M.R. Kennedy