14 DAY TRIAL // Microsoft is strongly disputing claims of three zero-days vulnerabilities affecting the 2007 Office System. According to the Redmond Company, the initial investigation of three different Office 2007 issues reported failed to confirm the fact that users are exposed to attacks.
Mati Aharoni of Offensive-Security.com, in Israel, has made available malformed Word documents together with proof of concept code for the three Office 2007 vulnerabilities. The examples were posted on the Milw0rm and SecurityVulns.com websites. Microsoft's reaction has prompted Aharoni to accuse the Redmond Company of confusion.
"A few days ago I released a few proof of concepts to full disclosure doc files which crashed my Word 2007, and a hlp file which when analysed looked like a classic heap overflow, with a twist or two. It looks like there is some confusion by Microsoft - who for some reason are not able to reproduce these bugs. I've recieved many mails from full disclosure members confirming the crash. Someone even mentioned Word 2004 crashing on OSX. So just to make things clear - here are some screenshots of the crashes. I fully hope that Microsoft will find the resources to figure this out," Aharoni commented.
A representative of the Microsoft Security Response Center claimed that the examples offered by Aharoni do not demonstrate in any manner the existence of vulnerabilities in Word 2007 or in the Office System for that matter. Accordingly, Microsoft will not label any of the issues reported by Aharoni as security flaws.
"In fact, the behavior observed in Microsoft Word 2007 in this instance is a by-design behavior that improves security and stability by exiting Microsoft Word when it has run out of options to try and reliably display a malformed Word document," a MSRC spokeswoman told ComputerWorld even if Aharoni provided screenshots of Word 20076 crashes as proof of the validity of his findings.