• Articles
    • Editorial Articles
    • Research Articles
    • WatchGuard Articles
  • The 443 Podcast
  • Threat Landscape
  • About
    • About Us
    • Contact Us
    • Contribute to Secplicity

Secplicity - Security Simplified

Powered by WatchGuard Technologies

Microsoft Office Updates Fix ActiveX Controls and Outlook

July 13, 2010 By The Editor

Summary:

  • These vulnerabilities affect: Microsoft Office 2002, 2003, and 2007 (Windows only) or the components that ship with it
  • How an attacker exploits them: Multiple vectors of attack, including enticing your users to a malicious website, or into opening a malicious attachment.
  • Impact: Various results; in the worst case, an attacker can gain complete control of your Windows computer
  • What to do: Install the appropriate Microsoft patches immediately, or let Windows Automatic Update do it for you.

Exposure:

Today, Microsoft released two security bulletins describing three vulnerabilities that affect the Windows versions of Microsoft Office 2002, 2003, and 2007 or components that ship with it. Each vulnerability affects Office components to varying degrees. However, a remote attacker could exploit the worst of these flaws to gain complete control of your Windows PC. The summary below lists the vulnerabilities, in order from highest to lowest severity.

  • MS10-044: Various Office ActiveX Control Code Execution Vulnerabilities

ActiveX controls are essentially small programs, often shared between applications, that work behind the scenes performing minor tasks on Windows-based computers. They are kind of like Microsoft-only Java applets. Many Microsoft applications, including Office, ship with many different ActiveX controls for performing various tasks For instance, Microsoft Office installs an ActiveX control (common to both Outlook and IE) that allows elements of your Outlook environment, such as your calendar or email messages, to be viewed as a web page.

Unfortunately, some of the ActiveX controls that ship with Office 2003 and 2007 Microsoft Office System suffer from two vulnerabilities involving the way these control handle memory. While the flaws differ technically, they share the same end result. If an attacker can entice one of your users into visiting a maliciously crafted web page, he can exploit either of these vulnerabilities to execute code on that user’s computer, inheriting that user’s level of privileges. If your user has local administrative privileges, the attacker gains full control of the user’s machine. 
Microsoft rating:
Critical.

  • MS10-045: Outlook Attachment Code Execution Vulnerability

Outlook suffers from a code execution vulnerability due to its inability to handle attachments that are attached to an email in a particular way. Microsoft’s bulletin doesn’t describe exactly what type of attachment causes the issue. The flaws lies more in how the attachment is attached (using the ATTACH_BY_REFERENCE value of the PR_ATTACH_METHOD property), rather than what type of attachment it is. In any case, by enticing one of your users into opening an attachment from a specially crafted email, an attacker can exploit this flaw to execute code on your user’s computer, with that user’s privileges. Since most Windows users have local administrative privileges, the attacker would likely gain full control of your user’s computer.
Microsoft rating: Important.

Solution Path:

Microsoft has released patches that correct all of these Office related vulnerabilities. You should download, test, and deploy the appropriate patches throughout your network immediately. If you choose, you can also let Windows Update automatically download and install these for you.

MS10-044:

  • Office 2003
  • 2007 Microsoft Office System
Other versions of Office not affected.

MS10-045:

Outlook update for:

  • Office XP
  • Office 2003
  • 2007 Microsoft Office System

Does My Firewall Help?

Attackers can exploit these flaws using diverse exploitation methods, such as luring you to a seemingly normal website or opening an unspecified attachment. Therefore, installing Microsoft’s updates is your most secure course of action. That said, in general, we recommend you train your users to avoid opening any unsolicited attachment.

Status:

Microsoft has released patches correcting these issues.

References:

  • Microsoft Security Bulletin MS10-044
  • Microsoft Security Bulletin MS10-045

Share This:

Related

Filed Under: Security Bytes Tagged With: Microsoft, outlook

Comments

  1. Marilou says

    June 30, 2017 at 10:25 am

    Skype has established its website-dependent consumer beta towards the entire
    world, after establishing it generally from the United states and U.K.
    earlier this four weeks. Skype for Website also now facilitates Chromebook and Linux for instant messaging
    conversation (no voice and video but, those require a plug-in installment).

    The increase of the beta contributes support for a longer listing of languages to help reinforce that global functionality

    Reply

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

The 443 Podcast

A weekly podcast featuring the leading white-hat hackers and security researchers. Listen Now
the 443 podcast

Threat Landscape

Filter and view Firebox Feed data by type of attack, region, country, and date range. View Now
threat landscape

Top Posts

  • Cybersecurity News: Free Cybersecurity Training, TrickBot Group Exposed, Major GoDaddy Breach, and Russia to Legalize cybercrime?!
  • US National Cybersecurity Strategy
  • Here Come The Regulations
  • Cybersecurity’s Toll on Mental Health

Email Newsletter

Sign up to get the latest security news and threat analysis delivered straight to your inbox

By signing up you agree to our Privacy Policy.


The views and opinions expressed on this website are those of the authors and do not necessarily reflect the policy or position of WatchGuard Technologies.

Stay in Touch

Recent Posts

  • Cybersecurity News: LastPass Incident Revealed, White House Issues Cybersecurity Strategy, FBI Purchases Leaked USHOR PII Data, and a Slew of Other Breaches
  • An Update on Section 230
  • Here Come The Regulations
  • US National Cybersecurity Strategy
  • Cybersecurity News: Free Cybersecurity Training, TrickBot Group Exposed, Major GoDaddy Breach, and Russia to Legalize cybercrime?!
View All

Search

Archives

Copyright © 2023 WatchGuard Technologies · Cookie Policy · Privacy Policy · Terms of Use