Microsoft knew of critical Office ActiveX bug in '07

Flaw that hackers have exploited for weeks reached Microsoft in March 2007

Three of the critical vulnerabilities Microsoft patched Tuesday in ActiveX controls for Office were first reported to the company two years ago, according to the security firm that alerted Microsoft of the flaws.

All three of the bugs were reported by the Zero Day Initiative (ZDI), a bug bounty program run by TippingPoint Technologies, a security development and research arm of 3Com. The trio were among the four vulnerabilities Microsoft patched Tuesday in Office Web Components (OWC), a set of ActiveX controls that let users publish Word, Excel and PowerPoint documents on the Web, then view them using Internet Explorer (IE).

One of the TippingPoint vulnerabilities, found in the ActiveX control used by IE to display Excel spreadsheets, has been exploited by hackers for more than a month to launch "drive-by" attacks from malicious or hijacked sites.

In several ZDI advisories posted yesterday, TippingPoint said it had reported two of the vulnerabilities to Microsoft in March, 2007, while the third was reported in December 2007.

"In general, Microsoft is one of the better vendors we work with in fixing vulnerabilities in a timely manner," said Cody Pierce, a TippingPoint security researcher, today. "But it's hard to say whether this timeline is warranted."

Even though Microsoft knew about two of the bugs for 29 months and the third for 20 months, Pierce hesitated to slam the developer for not fixing the flaws earlier. "Vulnerabilities like the ones disclosed this month are fairly complex and can sometimes take years to develop a patch that won't screw up the application," he said.

Pierce also confirmed that the oldest of the three TippingPoint vulnerabilities was the one that has been exploited by hackers for a month or more. TippingPoint reported that vulnerability to Microsoft on March 19, 2007.

On July 13, 2009, a day before that month's security updates were slated to release, Microsoft issued an advisory that warned users of ongoing attacks against IE users. That same day, U.K.-based security company Sophos said it had uncovered multiple Web sites, many of them hosted on Chinese domains, that were serving up the ActiveX exploit as part of a multi-strike attack toolkit.

Don Retallack, an analyst for Directions on Microsoft, also declined to take Microsoft to the woodshed over the long lag time between bug reporting and bug fixing.

"I'm not sure what I would read into the long delay," he said. "[But] Microsoft's security team is very professional, very methodical and very conservative." It takes time for Microsoft to develop patches, then test them against the wide range of products it supports, he added. Getting a patch right is more important than getting a patch out quickly. "That's the right thing to do."

Retallack also said even Microsoft doesn't have unlimited resources, and so must prioritize its patch work. "With privately-reported vulnerabilities, they can take their time to make sure they have a proper fix," he said, "so those get a lower priority than vulnerabilities which are public and are being exploited."

Because there apparently weren't any in-the-wild exploits of the OWC ActiveX controls until last month, Retallack was willing to give Microsoft a pass. "They can act fairly quickly when something is being actively attacked," Retallack said, noting that the company patched the exploited bug in just over a month from the time it issued the security advisory.

Microsoft has recently come under fire for reacting slowly to security issues. Last month, for example, it confirmed that a vulnerability in another ActiveX control had been reported in early 2008. Like the OWC bug, that vulnerability was also exploited by hackers before Microsoft had patched the problem.

At the time, John Pescatore, Gartner's primary security analyst, criticized Microsoft's pace. "That's just not an acceptable timeframe," Pescatore said last month. "It shouldn't take a year, not [for] a company the size of Microsoft.

Microsoft defended its patch process again today.

"Every vulnerability is different and has its own unique challenges," argued Christopher Budd, a spokesman for the Microsoft Security Research Center (MSRC). "Providing a quality, timely update to customers is of the utmost importance to Microsoft. As such, the company will only release updates after they've gone through a disciplined, rigorous development and testing process."

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection

Tags 3ComMicrosoftactivexmicrosoft office

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Gregg Keizer

Computerworld
Show Comments

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

David Coyle

Brother PocketJet PJ-773 A4 Portable Thermal Printer

I rate the printer as a 5 out of 5 stars as it has been able to fit seamlessly into my busy and mobile lifestyle.

Kurt Hegetschweiler

Brother PocketJet PJ-773 A4 Portable Thermal Printer

It’s perfect for mobile workers. Just take it out — it’s small enough to sit anywhere — turn it on, load a sheet of paper, and start printing.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?