eEye spies first MS Office 2007 remote exploit

Security researchers at eEye Digital Security have found what is believed to be the first remotely exploitable vulnerability in a Microsoft Office 2007 application.
Written by Ryan Naraine, Contributor
Security researchers at eEye Digital Security have found what is believed to be the first remotely exploitable vulnerability in a Microsoft Office 2007 application.

In a bare bones alert posted to its Upcoming Advisories page, eEye said he flaw exists within Publisher 2007 and can allow arbitrary code execution in the context of the logged in user.

eEye's chief hacking officer Marc Maiffret said minimal user action is required to trigger the vulnerability.

Publisher 2007 is used mostly by businesses to create, design and publish professional-looking marketing material for print, e-mail and the Web.

A spokesman for the MSRC (Microsoft Security Response Center) confirmed receipt of eEye's discovery. "[We] will continue to work with eEye to further understand this report as part of our standard MSRC investigation process and will provide additional guidance for customers as necessary," he said.

Maiffret said the two companies are going through the "standard back-and-forth" information sharing process. "It always takes a few days to nail down the extent of the bug and understand the severity," he said. In the meantime, eEye has slapped a "high risk" rating on the vulnerability.

If confirmed by Microsoft, it would be the first major hole in the Office 2007 line, which went through the company's rigorous SDL (Security Development Lifecycle) process. But, although Microsoft's SDL is a significant investment in product security, Maiffret said it's no surprise to find remotely exploitable issues because of the large attack surface presented by the desktop productivity suite.

Since the end of the worm era (the last major network worm was Slammer in 2004), attackers researchers have shifted the focus to client side vulnerabilities and Microsoft Office has not held up well to scrutiny.

The statistics tell the entire story. In 2005, Microsoft shipped 2 bulletins with patches for Office 2003 flaws. In 2006, that number skyrocketed to 12 bulletins. In the first two months of 2007, Redmond has already released 6 bulletins, covering multiple bugs affecting Word, Excel and PowerPoint.

"Everytime Word or Excel crashes, that's an error that could be a security hole. Once Windows XP SP2 closed the door on worms, it became natural to look for file format issues. Microsoft Office is the perfect target for that," Maiffret explained.

Despite the evidence, there's a general feeling in security research circles that Windows Vista will provide some salvation from the Office bugs.

Thomas Dullien, a.k.a Halvar Flake, CEO and head of research at Sabre Security, believes the inclusion of ASLR (address space layout randomization) in Vista will make client side exploits of Microsoft Office file format parsing bugs a lot harder.

Because ASLR randomly arrange the positions of key data areas to block hackers from predicting target addresses, Dullien wrote on the Daily Dave mailing list that client-side bugs in Vista will be near impossible to reliably exploit.

"Client-side bugs in MSOffice are approaching their expiration date. Not quickly, as most customers will not switch to Vista immediately, but they are showing the first brown spots, and will at some point start to smell," he said.

This most likely explains why zero-day Office exploits are being fired with alarming regularity.

Editorial standards