Microsoft contests reports of new Office flaws

Right after Microsoft's April Patch Tuesday, several security Web sites reported four new vulnerabilities, only to have Microsoft dispute that none of the three alleged to affect Word 2007 "demonstrate any vulnerability in Word 2007 or any Office 2007 products." The software giant is also disappointed that it was not notified of the alleged problems before they were publicly disclosed. Two of alleged Word 2007 problems are said to cause CPU usage to surge to 100%, creating a denial-of-service condition, according to a posting on the Security Vulnerabilities Web site. The third vulnerability Word 2007 could supposedly allow remote code execution.

The fourth alleged vulnerability, which concerns the ".hlp" extension for Windows help files, could lead to a heap overflow condition, the posting said. Microsoft acknowledged the problem, saying that .hlp is an "unsafe file format" and is executable, allowing it to run code when opened. The company said users should be cautious about opening unsolicited e-mail attachments with .hlp files. As always, Microsoft has warned that people should not open files sent from unknown sources.

News source: InfoWorld

Report a problem with article
Previous Story

Google issues rallying call to developers

Next Story

Texas Instruments Debuts 'TI-Nspire'

6 Comments

Microsoft did sort of do their part of fixing their past flaws by not enabling support for 32-bit HLP files in Vista by default. HLPs now do not open unless you get their updated WinHelp reader, and even that reader disables system file access for HLP files, thanks to UAC.

By executable, I'm guessing they're referring to those good old days of Windows 95 help files with shell links and embedded OLE objects.

That is stupid how they couldn't let Microsoft know before patch tuesday. They sit there and wait until a certain point to try and make Microsoft look bad.

How did they know if Microsoft is going to release of such fix or even accept that there was a security threat? MS deny of the level of serious problem and yet said they didn't get notified. Either I smell BS or it was just MS.

lol, so a malformed file that causes 100% CPU usage in a program is now refered to as a Denial of Service attack!? Maybe some people will learn how to use CTRL-ALT-DEL.

Commenting is disabled on this article.