Possible new Microsoft Office security flaw

Attackers can exploit a new buffer-overflow flaw in Microsoft Office to cause a denial of service or run malicious code on targeted machines via IE

Just a day after Microsoft patched 15 flaws across its product line, Symantec has warned of a new flaw with exploit code for Microsoft Office.

It seesm that attackers could exploit it via Internet Explorer (IE) to cause a denial of service or run malicious code on targeted machines. Microsoft has confirmed that it is investigating the reported flaw.

In an email alert to customers of its DeepSight threat management service, Symantec said researcher Yag Kohha discovered the flaw and released exploit code. Specifically, the flaw is in the MSODataSourceControl ActiveX control within Office. The ActiveX control is prone to a buffer-overflow condition because the application fails to bounds check user-supplied data before copying it into an irregularly-sized buffer.

"This issue occurs when an excessive amount of data is passed to the 'HelpPopup' method of the 'DeleteRecordSourceIfUnused()' method of the MSODataSourceControl ActiveX control," Symantec said. "Successfully exploiting this issue allows remote attackers to execute arbitrary code in the context of the application using the ActiveX control (typically Internet Explorer). Failed exploit attempts likely result in denial-of-service conditions."

To exploit this issue, Symantec said, an attacker must trick the user into accessing a malicious Web page. To prevent successful exploits, Symantec recommended users disable Active Scripting in Internet Explorer or set the kill bit on CLSID:{0002E55B-0000-0000-C000-000000000046}.

The new flaw report follows the recent trend where new vulnerabilities are disclosed immediately after Microsoft's monthly patch release. Microsoft released six security bulletins to fix 15 flaws across its product line Tuesday, including Windows XP, Vista and Internet Explorer 7. Attackers could exploit the most serious flaws remotely to run malicious code on victims' machines.

Mark Griesi, security program manager for the Microsoft Security Response Center (MSRC), confirmed in an email Wednesday afternoon that Microsoft is investigating the new flaw report.

"Microsoft is investigating new public claims of a possible vulnerability in Microsoft Office," he said. "We're currently unaware of any attacks trying to use the claimed vulnerability or of customer impact. We will take steps to determine how customers can protect themselves should we confirm the vulnerability."

Once the investigating is finished, he said, the company will take appropriate action to protect customers. "This may include providing a security update through the monthly release process, an out-of-cycle update or additional guidance to help customers protect themselves," he said.

Read more on Operating systems software