Microsoft knew of critical Office ActiveX bug in '07

Flaw that hackers have exploited for weeks reached Microsoft in March 2007

Three of the critical vulnerabilities Microsoft patched Tuesday in ActiveX controls for Office were first reported to the company two years ago, according to the security firm that alerted Microsoft of the flaws.

All three of the bugs were reported by the Zero Day Initiative (ZDI), a bug bounty program run by TippingPoint Technologies, a security development and research arm of 3Com. The trio were among the four vulnerabilities Microsoft patched Tuesday in Office Web Components (OWC), a set of ActiveX controls that let users publish Word, Excel and PowerPoint documents on the Web, then view them using Internet Explorer (IE).

One of the TippingPoint vulnerabilities, found in the ActiveX control used by IE to display Excel spreadsheets, has been exploited by hackers for more than a month to launch "drive-by" attacks from malicious or hijacked sites.

In several ZDI advisories posted yesterday, TippingPoint said it had reported two of the vulnerabilities to Microsoft in March, 2007, while the third was reported in December 2007.

"In general, Microsoft is one of the better vendors we work with in fixing vulnerabilities in a timely manner," said Cody Pierce, a TippingPoint security researcher, today. "But it's hard to say whether this timeline is warranted."

Even though Microsoft knew about two of the bugs for 29 months and the third for 20 months, Pierce hesitated to slam the developer for not fixing the flaws earlier. "Vulnerabilities like the ones disclosed this month are fairly complex and can sometimes take years to develop a patch that won't screw up the application," he said.

Pierce also confirmed that the oldest of the three TippingPoint vulnerabilities was the one that has been exploited by hackers for a month or more. TippingPoint reported that vulnerability to Microsoft on March 19, 2007.

On July 13, 2009, a day before that month's security updates were slated to release, Microsoft issued an advisory that warned users of ongoing attacks against IE users. That same day, U.K.-based security company Sophos said it had uncovered multiple Web sites, many of them hosted on Chinese domains, that were serving up the ActiveX exploit as part of a multi-strike attack toolkit.

Don Retallack, an analyst for Directions on Microsoft, also declined to take Microsoft to the woodshed over the long lag time between bug reporting and bug fixing.

"I'm not sure what I would read into the long delay," he said. "[But] Microsoft's security team is very professional, very methodical and very conservative." It takes time for Microsoft to develop patches, then test them against the wide range of products it supports, he added. Getting a patch right is more important than getting a patch out quickly. "That's the right thing to do."

Retallack also said even Microsoft doesn't have unlimited resources, and so must prioritize its patch work. "With privately-reported vulnerabilities, they can take their time to make sure they have a proper fix," he said, "so those get a lower priority than vulnerabilities which are public and are being exploited."

Because there apparently weren't any in-the-wild exploits of the OWC ActiveX controls until last month, Retallack was willing to give Microsoft a pass. "They can act fairly quickly when something is being actively attacked," Retallack said, noting that the company patched the exploited bug in just over a month from the time it issued the security advisory.

Microsoft has recently come under fire for reacting slowly to security issues. Last month, for example, it confirmed that a vulnerability in another ActiveX control had been reported in early 2008. Like the OWC bug, that vulnerability was also exploited by hackers before Microsoft had patched the problem.

At the time, John Pescatore, Gartner's primary security analyst, criticized Microsoft's pace. "That's just not an acceptable timeframe," Pescatore said last month. "It shouldn't take a year, not [for] a company the size of Microsoft.

Microsoft defended its patch process again today.

"Every vulnerability is different and has its own unique challenges," argued Christopher Budd, a spokesman for the Microsoft Security Research Center (MSRC). "Providing a quality, timely update to customers is of the utmost importance to Microsoft. As such, the company will only release updates after they've gone through a disciplined, rigorous development and testing process."

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags Microsoftactivexmicrosoft office3Com

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.
Gregg Keizer

Gregg Keizer

Show Comments

Cool Tech

Toys for Boys

Family Friendly

Stocking Stuffer

SmartLens - Clip on Phone Camera Lens Set of 3

Learn more >

Christmas Gift Guide

Click for more ›

Brand Post

Most Popular Reviews

Latest Articles


PCW Evaluation Team

Aysha Strobbe

Microsoft Office 365/HP Spectre x360

Microsoft Office continues to make a student’s life that little bit easier by offering reliable, easy to use, time-saving functionality, while continuing to develop new features that further enhance what is already a formidable collection of applications

Michael Hargreaves

Microsoft Office 365/Dell XPS 15 2-in-1

I’d recommend a Dell XPS 15 2-in-1 and the new Windows 10 to anyone who needs to get serious work done (before you kick back on your couch with your favourite Netflix show.)

Maryellen Rose George

Brother PT-P750W

It’s useful for office tasks as well as pragmatic labelling of equipment and storage – just don’t get too excited and label everything in sight!

Cathy Giles

Brother MFC-L8900CDW

The Brother MFC-L8900CDW is an absolute stand out. I struggle to fault it.

Luke Hill


I need power and lots of it. As a Front End Web developer anything less just won’t cut it which is why the MSI GT75 is an outstanding laptop for me. It’s a sleek and futuristic looking, high quality, beast that has a touch of sci-fi flare about it.

Emily Tyson

MSI GE63 Raider

If you’re looking to invest in your next work horse laptop for work or home use, you can’t go wrong with the MSI GE63.

Featured Content

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?