Researchers have discovered a “highly critical” security flaw in Microsoft’s four-week old productivity suite Office 2007. Security firm eEye Digital Security has announced that it has found the first Office 2007 remote code vulnerability.
The warning posted on the eEye’s Upcoming Advisories site gives Publisher 2007, the desktop and Web publishing program included with some editions of Office, as the flawed application. “A remotely exploitable flaw exists within Publisher 2007 that allows arbitrary code to be executed in the context of the logged in user,” reads the vulnerability description on the site.
The file format could be exploited to let an outsider run code on a compromised PC. It allows a hacker to remotely execute arbitrary code as if he was an actual logged-in user. The researchers, however, refused to give any further details about the flaw, like where is in Publisher or what kind of flaw it is, for fear that it may help hackers build an exploit for it.
Microsoft confirmed that it is working with eEye to look into the possible vulnerability. The company, however, said that so far it is not aware of any attacks attempting to use the reported vulnerability.
In the last few months, the users of Microsoft’s Office productivity suites, including those of Office 2000 and Office 2003, have faced several flaws. In 2006, Microsoft had released 13 security updates for Office 2000 and 11 for Office 2003. This year has already seen the company release four bulletins for Office 2000 and six for Office 2003.
eEye had issued another alert that “affects” Windows Vista — and no other Microsoft operating system – last month.
