Researchers from VUPEN Security in France report that they have found out vulnerability in the Microsoft Office 2010. But they also said that they have not yet reported the Microsoft officially.
According to the researchers at VUPEN security, it is said that a memory corruption flaw which could help an attacker to execute code has been discovered. The company has created a code execution exploit that works with Office 2010 and bypasses Data Execution Prevention and Office File Validation features.
The bug:
The Chief Executive Officer of Vupen, Chaouki Bekrar told that the bug is caused by a heap corruption error while processing malformed data within an Excel document. Further he added that there are many security features that are enabled in Office 2010 by default which will make exploiting the vulnerability an easy job. But yet they are able to execute the code reliably through a specially crafted Excel document.
Even though the technical details of the bug are not available at present, Vupen says that the government who is one of the customers of Vupen Threat Protection Program has access to the binary analysis of the vulnerability. But it also accepts that it has not yet reported the vulnerability details to Microsoft.
Reply of Microsoft:
Jerry Bryant who is the group manager of response communications at Microsoft replied that Microsoft is already aware of the vulnerability but it does not have the details to validate the vulnerability. According to Bryant Microsoft encourages the disclosure of the vulnerability directly to the vendors. It believes that revealing the vulnerabilities to the vendors help the customers to receive high quality updates before the cyber criminals become aware of the vulnerability and exploit it thereby reducing the risks to the customers.
Bekrar of Vupen states that vupen encourages disclosure of the vulnerabilities. He added that some of the vulnerabilities are disclosed affecting MS Office Word, Excel and Internet Explorer. It is said that the customers are informed of the disclosed vulnerabilities and are advised to allow Vupen to protect national infrastructures from potential attacks.
Bekrar also stated that Vupen is still working on whether the bug affects the older versions of Microsoft and it is a very long and tedious process involving a lot of investment that it didn’t reveal Microsoft about the vulnerability. He added that Vupen is not interested in just obtaining name in disclosing the vulnerability to Microsoft which is really a very big research project for Vupen. But it is said that Vupen will disclose the details of the bug to Microsoft at a later date after the full research is complete.
In reply, Bryant says that the creators of a product are responsible to create updates to protect their customers from probable vulnerabilities.
To conclude, when VUPEN discloses the bug Microsoft will be able to come up with a solution and the users will be soon benefited. It is necessary for the company to come up with the solution as soon as possible because it is hampering the image of Micosoft’s promise for quality product delivery.
