Office and IE Under Fire (Again)

News of the unpatched PowerPoint vulnerability (via eWeek) comes after a summer-long struggle to contain vulnerabilities in Microsoft Office, the office suite that maintains a venerable monopoly in the market.  As with previous PowerPoint exploits, this one uses a rigged PowerPoint file to install a backdoor application.  I found some additional information available from Symantec; read that here.

Similarly, another exploit has surfaced for Internet Explorer.  This exploit takes advantage of a flaw that was supposedly brought to Microsoft’s attention back in July and apparently still remains unpatched.  Fortunately, additional information on the IE vulnerability is available; here are some relevant links:

SecurityFocus:  Microsoft Internet Explorer WebViewFolderIcon Buffer Overflow Vulnerability
osvdb:  Microsoft IE WebViewFolderIcon setSlice Overflow

No word yet on any workarounds for this vulnerability or the published exploit.

Finally, in slightly related news…a couple of days ago Microsoft released an out-of-band patch (MS06-055) for the VML vulnerability I mentioned last week.  As usual, it’s available via Windows Update, WSUS, and various other distribution mechanisms.

Tags: , ,

Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>