20 September 2006
Office and IE vulnerability surfaces
Yet another vulnerability and exploit has been found for Microsoft products. This time it's Office 2007 and Internet Explorer using Vector Markup Language(VML).
This is a slight modification to a bug that was fixed in 2004. The impact of this exploit now is potentially larger as a result of Office's Open XML format which relies on VML.
Microsoft has created a scenario of how an attacker might use the exploit. Their idea is that the exploit will sit on a website. When a person views the site the exploit could give an attacker the same permission as the person using their machine locally. (Another note as to why you shouldn't log on as administrator in Windows and root in Linux.)
Of course this is only one method and others could be possible.
This is a slight modification to a bug that was fixed in 2004. The impact of this exploit now is potentially larger as a result of Office's Open XML format which relies on VML.
Microsoft has created a scenario of how an attacker might use the exploit. Their idea is that the exploit will sit on a website. When a person views the site the exploit could give an attacker the same permission as the person using their machine locally. (Another note as to why you shouldn't log on as administrator in Windows and root in Linux.)
Of course this is only one method and others could be possible.
Labels: IE, microsoft, office, vulnerability
