Microsoft knew of critical Office ActiveX bug in '07

Flaw that hackers have exploited for weeks reached Microsoft in March 2007

Three of the critical vulnerabilities Microsoft patched Tuesday in ActiveX controls for Office were first reported to the company two years ago, according to the security firm that alerted Microsoft of the flaws.

All three of the bugs were reported by the Zero Day Initiative (ZDI), a bug bounty program run by TippingPoint Technologies, a security development and research arm of 3Com. The trio were among the four vulnerabilities Microsoft patched Tuesday in Office Web Components (OWC), a set of ActiveX controls that let users publish Word, Excel and PowerPoint documents on the Web, then view them using Internet Explorer (IE).

One of the TippingPoint vulnerabilities, found in the ActiveX control used by IE to display Excel spreadsheets, has been exploited by hackers for more than a month to launch "drive-by" attacks from malicious or hijacked sites.

In several ZDI advisories posted yesterday, TippingPoint said it had reported two of the vulnerabilities to Microsoft in March, 2007, while the third was reported in December 2007.

"In general, Microsoft is one of the better vendors we work with in fixing vulnerabilities in a timely manner," said Cody Pierce, a TippingPoint security researcher, today. "But it's hard to say whether this timeline is warranted."

Even though Microsoft knew about two of the bugs for 29 months and the third for 20 months, Pierce hesitated to slam the developer for not fixing the flaws earlier. "Vulnerabilities like the ones disclosed this month are fairly complex and can sometimes take years to develop a patch that won't screw up the application," he said.

Pierce also confirmed that the oldest of the three TippingPoint vulnerabilities was the one that has been exploited by hackers for a month or more. TippingPoint reported that vulnerability to Microsoft on March 19, 2007.

On July 13, 2009, a day before that month's security updates were slated to release, Microsoft issued an advisory that warned users of ongoing attacks against IE users. That same day, U.K.-based security company Sophos said it had uncovered multiple Web sites, many of them hosted on Chinese domains, that were serving up the ActiveX exploit as part of a multi-strike attack toolkit.

Don Retallack, an analyst for Directions on Microsoft, also declined to take Microsoft to the woodshed over the long lag time between bug reporting and bug fixing.

"I'm not sure what I would read into the long delay," he said. "[But] Microsoft's security team is very professional, very methodical and very conservative." It takes time for Microsoft to develop patches, then test them against the wide range of products it supports, he added. Getting a patch right is more important than getting a patch out quickly. "That's the right thing to do."

Retallack also said even Microsoft doesn't have unlimited resources, and so must prioritize its patch work. "With privately-reported vulnerabilities, they can take their time to make sure they have a proper fix," he said, "so those get a lower priority than vulnerabilities which are public and are being exploited."

Because there apparently weren't any in-the-wild exploits of the OWC ActiveX controls until last month, Retallack was willing to give Microsoft a pass. "They can act fairly quickly when something is being actively attacked," Retallack said, noting that the company patched the exploited bug in just over a month from the time it issued the security advisory.

Microsoft has recently come under fire for reacting slowly to security issues. Last month, for example, it confirmed that a vulnerability in another ActiveX control had been reported in early 2008. Like the OWC bug, that vulnerability was also exploited by hackers before Microsoft had patched the problem.

At the time, John Pescatore, Gartner's primary security analyst, criticized Microsoft's pace. "That's just not an acceptable timeframe," Pescatore said last month. "It shouldn't take a year, not [for] a company the size of Microsoft.

Microsoft defended its patch process again today.

"Every vulnerability is different and has its own unique challenges," argued Christopher Budd, a spokesman for the Microsoft Security Research Center (MSRC). "Providing a quality, timely update to customers is of the utmost importance to Microsoft. As such, the company will only release updates after they've gone through a disciplined, rigorous development and testing process."

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags Microsoftactivexmicrosoft office3Com

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Gregg Keizer

Computerworld
Show Comments

Father’s Day Gift Guide

Brand Post

PC World Evaluation Team Review - MSI GT75 TITAN

"I need power and lots of it. As a Front End Web developer anything less just won’t cut it which is why the MSI GT75 is an outstanding laptop for me. It’s a sleek and futuristic looking, high quality, beast that has a touch of sci-fi flare about it."

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Luke Hill

MSI GT75 TITAN

I need power and lots of it. As a Front End Web developer anything less just won’t cut it which is why the MSI GT75 is an outstanding laptop for me. It’s a sleek and futuristic looking, high quality, beast that has a touch of sci-fi flare about it.

Emily Tyson

MSI GE63 Raider

If you’re looking to invest in your next work horse laptop for work or home use, you can’t go wrong with the MSI GE63.

Laura Johnston

MSI GS65 Stealth Thin

If you can afford the price tag, it is well worth the money. It out performs any other laptop I have tried for gaming, and the transportable design and incredible display also make it ideal for work.

Andrew Teoh

Brother MFC-L9570CDW Multifunction Printer

Touch screen visibility and operation was great and easy to navigate. Each menu and sub-menu was in an understandable order and category

Louise Coady

Brother MFC-L9570CDW Multifunction Printer

The printer was convenient, produced clear and vibrant images and was very easy to use

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Featured Content

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?