Computerworld - Three of the critical vulnerabilities Microsoft patched Tuesday in ActiveX controls for Office were first reported to the company two years ago, according to the security firm that alerted Microsoft of the flaws.
All three of the bugs were reported by the Zero Day Initiative (ZDI), a bug bounty program run by TippingPoint Technologies, a security development and research arm of 3Com. The trio were among the four vulnerabilities Microsoft patched Tuesday in Office Web Components (OWC), a set of ActiveX controls that let users publish Word, Excel and PowerPoint documents on the Web, then view them using Internet Explorer (IE).
One of the TippingPoint vulnerabilities, found in the ActiveX control used by IE to display Excel spreadsheets, has been exploited by hackers for more than a month to launch "drive-by" attacks from malicious or hijacked sites.
In several ZDI advisories posted yesterday, TippingPoint said it had reported two of the vulnerabilities to Microsoft in March, 2007, while the third was reported in December 2007.
"In general, Microsoft is one of the better vendors we work with in fixing vulnerabilities in a timely manner," said Cody Pierce, a TippingPoint security researcher, today. "But it's hard to say whether this timeline is warranted."
Even though Microsoft knew about two of the bugs for 29 months and the third for 20 months, Pierce hesitated to slam the developer for not fixing the flaws earlier. "Vulnerabilities like the ones disclosed this month are fairly complex and can sometimes take years to develop a patch that won't screw up the application," he said.
Pierce also confirmed that the oldest of the three TippingPoint vulnerabilities was the one that has been exploited by hackers for a month or more. TippingPoint reported that vulnerability to Microsoft on March 19, 2007.
On July 13, 2009, a day before that month's security updates were slated to release, Microsoft issued an advisory that warned users of ongoing attacks against IE users. That same day, U.K.-based security company Sophos said it had uncovered multiple Web sites, many of them hosted on Chinese domains, that were serving up the ActiveX exploit as part of a multi-strike attack toolkit.
Free Insider GuideCopyright © 1994 - 2012 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.
