The vulnerability resides in Microsoft’s Office Web Components, which are used for publishing spreadsheets, charts and databases to the Web, among other functions. The company is working on a patch but did not indicate when it would be released, according to an advisory.
“Specifically, the vulnerability exists in the Spreadsheet ActiveX control and while we’ve only seen limited attacks, if exploited successfully, an attacker could gain the same user rights as the local user,” wrote Dave Forstrom, a group manager who is part of Microsoft’s Security Response Center, in a blog post.
An ActiveX control is a small add-on program that works in a Web browser to facilitate functions such as downloading programs or security updates. Over the years, however, the controls have been prone to vulnerabilities.
The new flaw comes just a day before the company is set to release its monthly patches, including one for another zero-day vulnerability revealed earlier this month. That problem lies with the Video ActiveX control within Internet Explorer and is currently being used by hackers in drive-by download attempts.
In cases of especially dangerous vulnerabilities, Microsoft has deviated from its patching schedule and issued one out of cycle.
Microsoft said that the flaw could allow an attacker to execute code remotely on a machine if someone using Internet Explorer visits a malicious Web site, a hacking technique known as a drive-by download. Web sites that host user-provided content or advertisements could be rigged to take advantage of the vulnerability.
“In all cases, however, an attacker would have no way to force users to visit these Web sites,” the advisory said. “Instead, an attacker would have to persuade users to visit the Web site, typically by getting them to click a link in an e-mail message or Instant Messenger message that takes users to the attacker’s Web site.”
Microsoft issued a list of affected software, which includes Office XP Service Pack 3, 2003 Service Pack 3, several versions of Internet Security and Acceleration Server and Office Small Business Accounting 2006, among others.
Until a patch is ready, Microsoft said one option for administrators is to disable Office Web Components from running in Internet Explorer and has provided instructions.