Internet

Microsoft skeptical of Office security report

The software giant is downplaying a report of a security vulnerability in Microsoft Office documents that could theoretically be used by a malicious programmer to gain control of a target computer.

Microsoft is downplaying a report of a security vulnerability in Microsoft Office documents that could theoretically be used by a malicious programmer to gain control of a target computer.

In an advisory, Bulgarian security consultant Georgi Guninski yesterday said he identified a vulnerability in which double-clicking on Microsoft Office documents from Windows Explorer or launching a document from the "Start/Run" menu may allow an unauthorized person to take control of a computer. The exploit works in conjunction with certain dynamic link library (DLL) files, such as riched20.dll or msi.dll. DLLs are files that contain programming code used by multiple Windows applications.

Microsoft said it has investigated Guninski's report and confirmed the exploit. But the company said it is not a serious vulnerability because "there isn't a compelling exploit scenario."

Scott Culp, a program manager with Microsoft's Security Response Center, said in a Bugtraq email that the exploit requires the victim to run an untrusted DLL file in the same directory as a Microsoft Office document, posing a serious hurdle for would-be hackers.

"The user would need to take a series of deliberate steps that we believe would only occur as part of a social engineering attack," Culp wrote, referring to techniques that target the gullibility of Net users as opposed to technical flaws in software.

Culp said Microsoft considered two scenarios in which the exploit might be effective. In the first case, a malicious person would have to persuade people to download and run untrusted versions of DLL files on their machines in the same directory as a Microsoft Office document.

The other scenario is if a malicious person hosted a Microsoft Office document on his or her Web site, placed a Trojan horse file--an application that does something unexpected and potentially malicious--in the same directory as the Office document, and then sought to persuade someone to launch the Office document.

"It would not be possible to launch a Trojaned DLL simply by visiting a Web site and opening an Office document," Culp wrote.

Elias Levy, chief technology officer for SecurityFocus.com, agreed that the vulnerability exists only if a malicious person has attacked a computer network beforehand. But he said the exploit points to a real security problem in Microsoft Office.

"The problem is...in the core functionality in the Windows application that loads DLL," Levy said.