July 14, 2009, 7:12 AM — Microsoft said on Monday it is investigating a reported zero-day vulnerability in Microsoft Office Web Components that, if exploited, could give an attacker the same control over a PC as the user.
The company says it knows of attempts to exploit this vulnerability.
This exploit in Microsoft Office Web Components is possible because in Internet Explorer code execution is done remotely, and therefore doesn’t require user intervention. The result is an attacker could exploit the vulnerability to deploy malware on the unsuspecting user’s PC.
Office Web Components are a collection of Component Object Model (COM) controls that publish spreadsheets, charts, and databases on the Web and allow for viewing of published components on the Web. This particular vulnerability resides in the Spreadsheet ActiveX control, according to a Microsoft blog post yesterday.
The company is working on a fix, and in the meantime suggests customers prevent Microsoft Office Web Components from running in Internet Explorer either manually or automatically.
Later today, Microsoft plans to release six security updates, three of which are deemed critical including a fix to a similar vulnerability in the Microsoft Video ActiveX Control that could give an attacker the same user rights as a PC’s owner.
Do you tweet? Follow me on Twitter here.