New Office Flaws Overshadow Patch Tuesday

Microsoft and security researchers are investigating reports of several potentially serious bugs affecting Microsoft Office, made public just as Microsoft patched critical flaws in Windows XP, Vista and other software on Tuesday.

Update: Microsoft has contested the reports of new Office flaws.

The fresh vulnerabilities appear as Microsoft is grappling with the side-effects of an out-of-cycle patch rushed out to combat a bug in the way Windows handles animated cursors. That flaw is being exploited by thousands of websites, spurring a quick fix, but the resulting patch itself caused problems for some users.

The new bugs appeared in several security forums on Monday, and were reported by security firms such as McAfee's Avert Labs on Tuesday.

"This is yet another time that zero-day flaws have been published around a Patch Tuesday, possibly to maximize the public's exposure to these flaws until the next month's Patch Tuesday," wrote McAfee researcher Karthik Raman on Tuesday.

Raman said all but one of the Office flaws resulted in shutting down the application, but one heap-overflow flaw could be exploited to execute malicious code.

Microsoft said in a statement that it is investigating the reports, but isn't aware of any active exploitation. Microsoft and security firms both kept quiet on details of the flaws, citing the need to protect customers.

Separately, McAfee said it is analyzing proof-of-concept code for a zero-day bug in the way Windows handles HLP files. "This is another heap-overflow flaw that might be exploited for code execution," wrote McAfee's Raman.

Adding urgency to the need for an Office patch is that Word 2000 and XP have begun to be targeted by attacks exploiting a serious, unpatched bug (CVE-2007-0870) that was disclosed in February, according to security organizations such as eEye and the US' National Vulnerability Database.