July 15, 2009

Microsoft Warns Of Office Vulnerability To Cyberattacks

Microsoft Corp. warned on Tuesday that it's Office desktop applications suite, which has already been hit by cybercriminals, could still be vulnerable to attacks unless users take proper precautions.

"Despite today's fixes, Windows users continue to be under attack. Microsoft is taking two steps forward, while attackers are putting it one step back," Dave Marcus, McAfee Inc.'s Avert Labs director of security research, told Reuters.

In a security bulletin issued on Tuesday, the company said it had made available a temporary fix that users must manually download to protect their PCs from cyberattack.

Microsoft's Office XP, 2003 and 2007 are susceptible to the attacks.

Microsoft said the problem is rooted in a type of plug-in component known as ActiveX, which helps Web sites launch pages rich in content.  This particular ActiveX plug-in facilitates the transfer of spreadsheets between the Internet Explorer Web browser and a number of Microsoft Office applications

The world's No. 1 software company did not disclose how many machines had been hacked.  Patches to repair nine other security holes in its software were also released.

Microsoft's Windows operating system runs more than 90 percent of the world's PCs, with Office alone having some 500 million users. Hackers target the software because of its widespread use, allowing them to pursue the largest number of potential victims with a single set of code.

Cybercriminals also seize on Office's vulnerability by hiding malicious code on Web sites that load onto computers running Office software. Infected computers are then forced into a network of hijacked computers known as a botnet, where they are used for identity theft, spamming and other nefarious purposes.

Using a tool provided on Microsoft's Web site (available here), users can prevent cyberattacks by disabling certain functions within the Office software that allow it to work over the Internet, Microsoft said.