Microsoft knew of critical Office ActiveX bug in '07

Flaw that hackers have exploited for weeks reached Microsoft in March 2007

Three of the critical vulnerabilities Microsoft patched Tuesday in ActiveX controls for Office were first reported to the company two years ago, according to the security firm that alerted Microsoft of the flaws.

All three of the bugs were reported by the Zero Day Initiative (ZDI), a bug bounty program run by TippingPoint Technologies, a security development and research arm of 3Com. The trio were among the four vulnerabilities Microsoft patched Tuesday in Office Web Components (OWC), a set of ActiveX controls that let users publish Word, Excel and PowerPoint documents on the Web, then view them using Internet Explorer (IE).

One of the TippingPoint vulnerabilities, found in the ActiveX control used by IE to display Excel spreadsheets, has been exploited by hackers for more than a month to launch "drive-by" attacks from malicious or hijacked sites.

In several ZDI advisories posted yesterday, TippingPoint said it had reported two of the vulnerabilities to Microsoft in March, 2007, while the third was reported in December 2007.

"In general, Microsoft is one of the better vendors we work with in fixing vulnerabilities in a timely manner," said Cody Pierce, a TippingPoint security researcher, today. "But it's hard to say whether this timeline is warranted."

Even though Microsoft knew about two of the bugs for 29 months and the third for 20 months, Pierce hesitated to slam the developer for not fixing the flaws earlier. "Vulnerabilities like the ones disclosed this month are fairly complex and can sometimes take years to develop a patch that won't screw up the application," he said.

Pierce also confirmed that the oldest of the three TippingPoint vulnerabilities was the one that has been exploited by hackers for a month or more. TippingPoint reported that vulnerability to Microsoft on March 19, 2007.

On July 13, 2009, a day before that month's security updates were slated to release, Microsoft issued an advisory that warned users of ongoing attacks against IE users. That same day, U.K.-based security company Sophos said it had uncovered multiple Web sites, many of them hosted on Chinese domains, that were serving up the ActiveX exploit as part of a multi-strike attack toolkit.

Don Retallack, an analyst for Directions on Microsoft, also declined to take Microsoft to the woodshed over the long lag time between bug reporting and bug fixing.

"I'm not sure what I would read into the long delay," he said. "[But] Microsoft's security team is very professional, very methodical and very conservative." It takes time for Microsoft to develop patches, then test them against the wide range of products it supports, he added. Getting a patch right is more important than getting a patch out quickly. "That's the right thing to do."

Retallack also said even Microsoft doesn't have unlimited resources, and so must prioritize its patch work. "With privately-reported vulnerabilities, they can take their time to make sure they have a proper fix," he said, "so those get a lower priority than vulnerabilities which are public and are being exploited."

Because there apparently weren't any in-the-wild exploits of the OWC ActiveX controls until last month, Retallack was willing to give Microsoft a pass. "They can act fairly quickly when something is being actively attacked," Retallack said, noting that the company patched the exploited bug in just over a month from the time it issued the security advisory.

Microsoft has recently come under fire for reacting slowly to security issues. Last month, for example, it confirmed that a vulnerability in another ActiveX control had been reported in early 2008. Like the OWC bug, that vulnerability was also exploited by hackers before Microsoft had patched the problem.

At the time, John Pescatore, Gartner's primary security analyst, criticized Microsoft's pace. "That's just not an acceptable timeframe," Pescatore said last month. "It shouldn't take a year, not [for] a company the size of Microsoft.

Microsoft defended its patch process again today.

"Every vulnerability is different and has its own unique challenges," argued Christopher Budd, a spokesman for the Microsoft Security Research Center (MSRC). "Providing a quality, timely update to customers is of the utmost importance to Microsoft. As such, the company will only release updates after they've gone through a disciplined, rigorous development and testing process."

Join the CSO newsletter!

Error: Please check your email address.

Tags 3ComMicrosoftactivexmicrosoft office

More about 3Com Australia3Com AustraliaExcelGartnerMicrosoftSophosTippingPointTippingPoint

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Gregg Keizer

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place