main

Microsoft contests reports of new Office flaws

Slimy   on 12 April 2007 - 03:23 · 7 comments & 2471 views

Advertisement (Why?)
Right after Microsoft’s April Patch Tuesday, several security Web sites reported four new vulnerabilities, only to have Microsoft dispute that none of the three alleged to affect Word 2007 "demonstrate any vulnerability in Word 2007 or any Office 2007 products." The software giant is also disappointed that it was not notified of the alleged problems before they were publicly disclosed. Two of alleged Word 2007 problems are said to cause CPU usage to surge to 100%, creating a denial-of-service condition, according to a posting on the Security Vulnerabilities Web site. The third vulnerability Word 2007 could supposedly allow remote code execution.

The fourth alleged vulnerability, which concerns the ".hlp" extension for Windows help files, could lead to a heap overflow condition, the posting said. Microsoft acknowledged the problem, saying that .hlp is an "unsafe file format" and is executable, allowing it to run code when opened. The company said users should be cautious about opening unsolicited e-mail attachments with .hlp files. As always, Microsoft has warned that people should not open files sent from unknown sources.

News source: InfoWorld

Share this Article

About the Author

Full name: Unknown
User name: Slimy
Contact: via forum PM
Submissions: View All
More: View Profile

Related news

Post a comment · Send to friend Comments · There are 7 additional comments
#1 Krome on 12 Apr 2007 - 04:26
I smell a denial-of-security-flaw.
(1 reply) #2 MrCobra on 12 Apr 2007 - 04:39
Quote -
Microsoft acknowledged the problem, saying that .hlp is an "unsafe file format" and is executable, allowing it to run code when opened.


Why in the hell would they design a help format that can execute code? Stupid.
#2.1 +rm20010 on 12 Apr 2007 - 04:43
Microsoft did sort of do their part of fixing their past flaws by not enabling support for 32-bit HLP files in Vista by default. HLPs now do not open unless you get their updated WinHelp reader, and even that reader disables system file access for HLP files, thanks to UAC.

By executable, I'm guessing they're referring to those good old days of Windows 95 help files with shell links and embedded OLE objects.
(1 reply) #3 NightmarE D on 12 Apr 2007 - 05:01
That is stupid how they couldn't let Microsoft know before patch tuesday. They sit there and wait until a certain point to try and make Microsoft look bad.
#3.1 Krome on 12 Apr 2007 - 06:24
How did they know if Microsoft is going to release of such fix or even accept that there was a security threat? MS deny of the level of serious problem and yet said they didn't get notified. Either I smell BS or it was just MS.
#4 Z3r0 on 12 Apr 2007 - 07:52
lol, so a malformed file that causes 100% CPU usage in a program is now refered to as a Denial of Service attack!? Maybe some people will learn how to use CTRL-ALT-DEL.

Last edited by Z3r0 on 12 Apr 2007 - 07:58
#5 mashall246law on 12 Apr 2007 - 08:46
About iphone
Thank you so much for providing this.

Commenting has either been disabled on this article or you are not logged in. Click here to login or register, its free!

Note: Anonymous commenting is disabled in order to keep the quality of responses to a high standard.

Advertisement (Why?)
News powered by Neowin Management System (Build - 5.0.897) © 2000 - 2008 Neowin.net