First Microsoft Office 2007 Vulnerability UncoveredFirst Microsoft Office 2007 Vulnerability Uncovered

A remotely exploitable vulnerability that exists within Office's Publisher 2007 allows a hacker to remotely execute arbitrary code as a logged-in user, security firm eEye says.

Sharon Gaudin, Contributor

February 23, 2007

2 Min Read
information logo in a gray background | information

Security company eEye Digital Security has reportedly found the first vulnerability in Microsoft's newly released Office 2007.

The company posted an advisory on its Web site saying eEye researchers found the flaw and reported it to Microsoft on Feb. 16. It's a remotely exploitable vulnerability that exists within Office's Publisher 2007. It allows a hacker to remotely execute arbitrary code as if he was an actual logged-in user.

Ross Brown, CEO of eEye, says they've given it a "high" security rating, but adds that Microsoft would more than likely classify it as a "critical" vulnerability. He adds that they haven't yet seen any exploit for the flaw.

Brown and Andre Derek Protas, a security researcher with eEye, both hesitated to say where the flaw is in Publisher or what kind of flaw it is for fear that it would only help hackers build an exploit for it.

"I'll give [Microsoft] a lot of credit in raising their level of responsiveness," says Brown. "But it's one thing to have a flaw and it's another thing to have a remote control flaw. Through their trustworthy computing initiative, they've implemented code quality processes. With something so recently released to have a remote control vulnerability, was a real surprise to our researchers."

Protas says he had been hoping for tighter security in this latest version of Office, but he's pretty doubtful now.

"I'd say we are dealing with the same level of security as we did with Office 2000 and Office 2003. It's not going to be the silver bullet of Office security."

A Microsoft spokesman, responding to information questions in an e-mail, said Microsoft is investigating new reports of a possible vulnerability in Microsoft Publisher 2007.

"Microsoft is not aware of any attacks attempting to use the reported vulnerability or of customer impact at this time," he says. "Microsoft will continue to work with eEye to further understand this report as part of our standard MSRC investigation process and will provide additional guidance for customers as necessary."

Read more about:

20072007

About the Author

Sharon Gaudin

Sharon Gaudin

Contributor

See more from Sharon Gaudin
Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.
SIGN-UP

You May Also Like

More Insights
Webinars
More Webinars
Reports
More Reports

Editor's Choice

A group of smiling college graduates celebrating their graduation.
IT Leadership
Why Liberal Arts Grads Could Be the Best Programmers of the AI Era
Why Liberal Arts Grads Could Be the Best Programmers of the AI Era

Jan 17, 2025

Flame front of the Eaton Fire on the first night during the January 2025 California wildfires in Altadena and Los Angeles
IT Sectors
How Tech Supports the Emergency Response to the LA County Wildfires
How Tech Supports the Emergency Response to the LA County Wildfires

Jan 16, 2025

Graphic Pop Art style Illustration of Keanu Reeves as NEO from the film, The Matrix
IT Infrastructure
Y2K and Infrastructure Resilience 25 Years Later
Y2K and Infrastructure Resilience 25 Years Later

Jan 7, 2025

Young businessman working on a virtual screen of the future and sees the inscription: Now hiring
IT Leadership
Help Wanted: IT Hiring Trends in 2025
Help Wanted: IT Hiring Trends in 2025

Nov 20, 2024

Cobol programming language software development concept on vitual screen.
IT Leadership
Untangling Enterprise Reliance on Legacy Systems
Untangling Enterprise Reliance on Legacy Systems

Jan 21, 2025

Webinars
More Webinars
White Papers
More White Papers
Reports
More Reports