Microsoft has confirmed Wednesday that it is looking
into reports of a new Office
zero-day flaw attackers could exploit to cause a denial of
service or run malicious code on targeted Windows
machines.
Antivirus giant Symantec released an email
advisory on the flaw to customers of its DeepSight threat
management system early afternoon US time on 23 May. A couple hours
later, a Microsoft spokesperson confirmed the company is
investigating the report. At issue is a buffer overflow flaw in
Office 2000's UA ActiveX control. Because of the flaw, the
application fails to properly check user-supplied data before
copying it into a poorly-sized buffer, Symantec said.
"This issue occurs when an excessive amount of data is passed to
the 'HelpPopup' method of the 'OUACTRL.OCX' ActiveX control,"
Symantec said. "Successfully exploiting this issue allows remote
attackers to execute arbitrary code in the context of the
application using the ActiveX control (typically Internet
Explorer). Failed exploit attempts likely result in
denial-of-service conditions."
Symantec said the flaw was discovered by a researcher named
Shinnai, who has posted exploit code. To successfully exploit the
flaw, an attacker must trick an unsuspecting user into accessing a
malicious Web page.
The Microsoft spokesperson said Microsoft is not aware of any
attacks attempting to use the flaw, but that it will continue to
investigate the issue.
"Upon completion of this investigation, Microsoft will take the
appropriate action to protect our customers, which may include
issuing a security advisory or providing a security update through
our monthly release process, depending on customer needs," she
added.
For now, Symantec recommends users mitigate the threat by
disabling ActiveX scripting in Internet Explorer, or set the kill
bit on CLSID:8936033C-4A50-11D1-98A4-00A0C90F27C6.