Microsoft knew of critical Office ActiveX bug in '07

Flaw that hackers have exploited for weeks reached Microsoft in March 2007

Three of the critical vulnerabilities Microsoft patched Tuesday in ActiveX controls for Office were first reported to the company two years ago, according to the security firm that alerted Microsoft of the flaws.

All three of the bugs were reported by the Zero Day Initiative (ZDI), a bug bounty program run by TippingPoint Technologies, a security development and research arm of 3Com. The trio were among the four vulnerabilities Microsoft patched Tuesday in Office Web Components (OWC), a set of ActiveX controls that let users publish Word, Excel and PowerPoint documents on the Web, then view them using Internet Explorer (IE).

One of the TippingPoint vulnerabilities, found in the ActiveX control used by IE to display Excel spreadsheets, has been exploited by hackers for more than a month to launch "drive-by" attacks from malicious or hijacked sites.

In several ZDI advisories posted yesterday, TippingPoint said it had reported two of the vulnerabilities to Microsoft in March, 2007, while the third was reported in December 2007.

"In general, Microsoft is one of the better vendors we work with in fixing vulnerabilities in a timely manner," said Cody Pierce, a TippingPoint security researcher, today. "But it's hard to say whether this timeline is warranted."

Even though Microsoft knew about two of the bugs for 29 months and the third for 20 months, Pierce hesitated to slam the developer for not fixing the flaws earlier. "Vulnerabilities like the ones disclosed this month are fairly complex and can sometimes take years to develop a patch that won't screw up the application," he said.

Pierce also confirmed that the oldest of the three TippingPoint vulnerabilities was the one that has been exploited by hackers for a month or more. TippingPoint reported that vulnerability to Microsoft on March 19, 2007.

On July 13, 2009, a day before that month's security updates were slated to release, Microsoft issued an advisory that warned users of ongoing attacks against IE users. That same day, U.K.-based security company Sophos said it had uncovered multiple Web sites, many of them hosted on Chinese domains, that were serving up the ActiveX exploit as part of a multi-strike attack toolkit.

Don Retallack, an analyst for Directions on Microsoft, also declined to take Microsoft to the woodshed over the long lag time between bug reporting and bug fixing.

"I'm not sure what I would read into the long delay," he said. "[But] Microsoft's security team is very professional, very methodical and very conservative." It takes time for Microsoft to develop patches, then test them against the wide range of products it supports, he added. Getting a patch right is more important than getting a patch out quickly. "That's the right thing to do."

Retallack also said even Microsoft doesn't have unlimited resources, and so must prioritize its patch work. "With privately-reported vulnerabilities, they can take their time to make sure they have a proper fix," he said, "so those get a lower priority than vulnerabilities which are public and are being exploited."

Because there apparently weren't any in-the-wild exploits of the OWC ActiveX controls until last month, Retallack was willing to give Microsoft a pass. "They can act fairly quickly when something is being actively attacked," Retallack said, noting that the company patched the exploited bug in just over a month from the time it issued the security advisory.

Microsoft has recently come under fire for reacting slowly to security issues. Last month, for example, it confirmed that a vulnerability in another ActiveX control had been reported in early 2008. Like the OWC bug, that vulnerability was also exploited by hackers before Microsoft had patched the problem.

At the time, John Pescatore, Gartner's primary security analyst, criticized Microsoft's pace. "That's just not an acceptable timeframe," Pescatore said last month. "It shouldn't take a year, not [for] a company the size of Microsoft.

Microsoft defended its patch process again today.

"Every vulnerability is different and has its own unique challenges," argued Christopher Budd, a spokesman for the Microsoft Security Research Center (MSRC). "Providing a quality, timely update to customers is of the utmost importance to Microsoft. As such, the company will only release updates after they've gone through a disciplined, rigorous development and testing process."

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection

Tags Microsoftactivexmicrosoft office3Com

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Gregg Keizer

Computerworld
Show Comments

Cool Tech

Breitling Superocean Heritage Chronographe 44

Learn more >

SanDisk MicroSDXC™ for Nintendo® Switch™

Learn more >

Toys for Boys

Family Friendly

Panasonic 4K UHD Blu-Ray Player and Full HD Recorder with Netflix - UBT1GL-K

Learn more >

Stocking Stuffer

Razer DeathAdder Expert Ergonomic Gaming Mouse

Learn more >

Christmas Gift Guide

Click for more ›

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Walid Mikhael

Brother QL-820NWB Professional Label Printer

It’s easy to set up, it’s compact and quiet when printing and to top if off, the print quality is excellent. This is hands down the best printer I’ve used for printing labels.

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?