Web Components spell danger for Microsoft software

By Alun Williams

Posted on 23 Aug 2002 at 12:35

Critical flaws emerge across Microsoft's product line through vulnerabilities in its Office Web Components technology.

The flaws described in Security Bulletin MS02-044, Unsafe Functions in Office Web Components, are rated as 'critical' for client systems, but low or moderate for server systems. Potentially, attackers could execute commands on a user's machine and access files on their system.

The Microsoft Office Web Components involve ActiveX controls to provide Office functionality through a browser, without requiring that the user install the full Microsoft Office application. However, it appears malicious Web sites or HTML mail may be able to take advantage of the controls.

The 2000 and 2002 editions of Microsoft Office Web Components contain the vulnerabilities and the products that are affected - through their use of Web Components technology - include Office XP, Project 2002 and Money 2003.

The full list comprises: BackOffice Server 2000, BizTalk Server 2000, BizTalk Server 2002, Commerce Server 2000, Commerce Server 2002, Internet Security and Acceleration Server 2000, Money 2002, Money 2003, Office 2000, Office XP, Project 2002, Project Server 2002 and Small Business Server 2000

Microsoft recommends that users of these products should install the appropriate patches immediately.

In more detail, the vulnerabilities relate to the Host() function (by which an attacker could remotely execute commands), the LoadText() function (by which files could be read on the user's system) and the Copy()/Paste() functions (which could give access to the contents of the users paste buffer).

More information on the patches available can read be read in the MS02-044 bulletin on Microsoft's TechNet Web site.