Two Office 2010 vulnerabilities leaked, Microsoft furious

Microsoft is furious with Vupen Security after it leaked information about two security vulnerabilities in Microsoft Office 2010, even though the software package has only been out a few weeks.

Vupen has identified 130 security flaws in 2010 alone, with most of them being in Microsoft products, which means that either Microsoft software is really insecure or Vupen does not like the company all that much. TechEye‘s gamblers, which means all of us, are pretty divided on this one.

The technical details of the flaw were not revealed in order to ensure hackers cannot use that information to exploit the bug, but Vupen did say that the flaw is a memory corruption which affects Excel. It said it was not easy to exploit, but that it had developed a specially crafted Excel document which could achieve reliable code activation.

Vupen found a second vulnerability in Word but would not give out details about it.

The exploits manage to bypass several security features in Office 2010, including Data Execution Protection and Office File Validation. Some of the tricks used were developed for Office 2007, suggesting that Microsoft has not resolved those vulnerabilities.

Jerry Bryant, group manager for response communications at Microsoft, revealed Microsoft’s distaste for Vupen’s actions. He said that Microsoft is aware of a “claimed” vulnerability, but has yet to verify it, intimating that Vupen’s security team may be wrong. He went on to slam Vupen for not reporting the flaw to Microsoft like a good boy, suggesting that it was not supporting responsible disclosure. That’s comms for you though.

He said that Microsoft “continues to encourage responsible disclosure. Reporting vulnerabilities directly to vendors helps ensure that customers receive comprehensive, high-quality updates before cyber-criminals learn of—and work to exploit—a vulnerability.” 

That said, it is probably more likely that the Vole is upset that flaws in its shiny new software suite have been discovered at all, particularly since Vupen seems to have a thing for Microsoft vulnerabilities.

Vupen, on the other hand, appears to be following in the footsteps of a Google engineer who last month leaked a Help and Support Centre flaw. Hackers have since used that information to launch over 10,000 attacks on Windows XP machines. Who knows how many attacks will hit machines with Office 2010 with this latest alleged leak if it’s not patched in time.

Vupen said that “Office 2010 is definitely more secure than previous Office versions”, but its soothsayers said that they “expect to discover more issues [with Office 2010] within the next few weeks”.

A Microsoft spokesperson, Jerry Bryant, got back in touch with us and re-issued the same statement. So here it is, again: 

“Microsoft is aware of a claimed vulnerability but does not have the details to validate the claim. To minimise risk to computer users, Microsoft continues to encourage responsible disclosure.  Reporting vulnerabilities directly to vendors helps ensure that customers receive comprehensive, high-quality updates before cyber criminals learn of – and work to exploit – a vulnerability. 

While there are many ways to protect customers from attacks, the creators of the product are in the best position to understand the general risk to the broader customer base and create updates to the product or service that protect everyone.  Vulnerability sharing programs that do not include the software vendor are risky programs and do not promote overall customer safety.”