The Zero Day Initiative (ZDI) team at HP TippingPoint has published details on no less than five zero-day security vulnerabilities impacting Microsoft Office.
Back in August 2010, ZDI’s Aaron Portnoy was announcing a change in the Disclosure Policy of the vulnerability research outfit.
Essentially, ZDI published limited advisories on the unpatched Office security flaws because the vulnerabilities have been reported to Microsoft more than six months ago and, the Redmond company has yet to provide updates designed to resolve the issues.
ZDI does not offer the full details related to the 0-day vulnerabilities, but only minimal information, as well as some workaround advice to help customers protect themselves against potential exploits.
All vulnerabilities disclosed at the start of this week could allow an attacker to execute code remotely on an affected machine, which would qualify the flaws for a maximum severity rating of Critical from the software giant.
The Redmond company recently published a video series enabling customers to get insight into the patch cooking process at Microsoft.
The software giant’s approach to vulnerability management is extremely complex, and in this regard it could offer an explanation why some of the security updates to its products require a longer baking time than others.
Here is a list with the Office 0-day vulnerabilities from ZDI (it seems that Office 2010 is not affected and that the flaws impact older releases of the productivity suite, including Office 2007 and Office 2003):
- ZDI-CAN-811 - Microsoft Office Excel 2003 Invalid Object Type Remote Code Execution Vulnerability
- ZDI-CAN-829 - Microsoft Office Excel Office Art Object Parsing Remote Code Execution Vulnerability
- ZDI-CAN-904 - Microsoft Office Excel Axis Properties Record Parsing Remote Code Execution Vulnerability
- ZDI-CAN-798 - Microsoft Excel 2007 Office Drawing Layer Remote Code Execution Vulnerability
- ZDI-CAN-827 - Microsoft PowerPoint 2007 OfficeArt Atom Remote Code Execution Vulnerability.