Microsoft Office Bug May Lead To Drive-by Downloads

According to analysts, one of the Office flaws may be exploitable by behind-the-scenes "drive-by downloads" if vulnerable users simply surf to sites with Internet Explorer (IE).

"These issues pose a significant risk for computers that have the vulnerable Office suite installed and are used to browse the Internet or process Microsoft Office files," Symantec warned in an advisory issued minutes after Microsoft posted the bulletins.

Dubbed MS06-012, the bulletin involving Office came with a "critical" tag, Microsoft's most dire warning of the four it slaps on security alerts. The bulletin patches a half-dozen remote code execution vulnerabilities -- the worst kind because they can be exploited without local access -- and five of them are in various versions of Excel, the suite's widely-used spreadsheet. Late last year, one of the five had its 15 minutes of fame when it was briefly put up for sale on eBay.

Microsoft Office 2000, Office XP, Office 2003, and Microsoft Works Suites 2000 through 2006 must be patched as soon as possible, said the Redmond, Wash.-based developer. Two editions of the Macintosh version of Office, Office X for Mac and Office 2004 for Mac, are also at risk and should be updated from the Mactopia site.

While the five Excel flaws involve several parsing issues -- and all are deemed "critical" by Microsoft for users of Office 2000, "important" for Office XP and Office 2003 -- the sixth bug looks like the most dangerous, said analysts.

At issue is Office's "Document Routing" feature, which embeds "slips" in Office docs to automatically move files from one user to another. Both Word and PowerPoint have bugs that might let an attacker create files with specially-made slips, then use those to install other malware onto PCs whose users surf to malicious Web sites with IE.

"This one is a huge concern," said Amol Sarwate, the manager of Qualys' vulnerability research lab. "Office users aren't necessarily security savvy," he added, and might not realize that an unpatched suite is at risk simply by visiting the wrong Internet neighborhood.

"There's nothing here that's overwhelmingly 'Oh my goodness,'" countered Mike Murray, director of research at vulnerability management vendor nCircle. "And we're not 100 percent sure that the any of these [vulnerabilities] require no user interaction." In fact, nCircle's research team is leaning toward the position that even the document routing bug can't be exploited without help from users. "Five of the six [the Excel bugs] definitely require interaction, and we're pretty confident that all six need it. But we're still researching."

Vulnerabilities that don't require action on the part of the user -- which can result in drive-by downloads -- have been attracting more attacker interest of late, especially after the wide success of a zero-day bug in Windows' processing of the Metafile (WMF) image format late in 2005 and into early 2006.

Tuesday's second bulletin, MS06-011, impacts Windows XP SP1 (but not XP SP2) and Windows Server 2003.

The single bug called out by the bulletin was deemed "important" by Microsoft, which also said that an attacker would have to have valid log-on credentials to exploit it, and then would only end up with greater access than normally.

"Even companies with only moderately good security [practices] should be safe from this," said nCircle's Murray.

MS06-011 fixed the flaw that Microsoft publicized in an early February advisory, which in turn was prompted by a paper presented in late January by a pair of Princeton University researchers.

If there was a silver lining in Tuesday's security updates, concluded Murray, it was in the trend toward lesser problems. Testing the Office update should be a relative snap compared to the QA that enterprises apply when deploying fixes for operating systems, for instance.

"These are certainly an annoyance, but they're not world shaking, turn-off-your-business-for-two-days-while-you-patch," he said. "If there's a trend, that's it. We've not had a Blaster in a long long time."

Users can obtain the month's patches via Windows' Automatic Update, from the Microsoft Update service, or through other software and services the company maintains, such as Windows Server Update Services (WSUS) or Software Update Services (SUS).