Security Watch

Office 2003 Bug Gets Band-Aid

Plus, Microsoft explains its Indeo snub; Symantec fixes a Windows issue.

• By Jabulani Leffall
• 12/14/2009

As the year winds down, Microsoft's focus turns to housekeeping (at least, as far as security operations are concerned). On the list of things the company can now check off is an Office 2003 bug.

Microsoft said on Monday that it has fixed administrative access issues in Office 2003 that prevented users from opening documents that were saved and stored using Microsoft's Rights Management Services (RMS) program.

RMS is designed to keep nosy people (or hackers with malicious intentions) from opening sensitive documents or tampering with important documents sent over corporate networks.

Late Friday, Microsoft said that certain documents specifically on the Office 2003 suite may not open if equipped with RMS beyond a day "when an update issued." This would happen even if users had administrative access to the Windows OS and related applications.

Over the weekend, Redmond identified the problem as an Office 2003 certification expiration issue. Microsoft then issued a hotfix on Monday, but admitted in the description that it wouldn't resolve all issues. Microsoft cautioned users whose needs aren't as urgent to wait for a patch: "If you are not severely affected by this problem, we recommend that you wait for the next software update that contains this hotfix."

Microsoft Explains Indeo Snub
Hidden in plain sight in Microsoft's final patch release of 2009 last week was a security advisory that explained why the Indeo codec, a video compression software, was blocked from use in Internet Explorer and Windows Media Player.

Microsoft explained in the advisory that the update also blocks other applications that access the Internet from loading the codec onto certain Windows programs. So-called "security mitigations" to the Indeo codec are available on supported editions of Windows 2000, XP and Windows Server 2003, Redmond said.

While it's clear that Redmond has decided to block access to Indeo rather than build patches to deflect potential bugs, it's not known how many vulnerabilities the software contains. According to third-party security shops such as VeriSign iDefense and Fortinet, such bugs discovered over the past couple of years (and most recently at about this time last year) require users to open corrupt media files, most notably .AVI files, to trigger remote code execution.
 
The overriding dilemma that likely led to the blockage (instead of a patching) was the fact that the bug lay in the streaming component of Windows applications, which means that attacks can be launched from a malicious Web site or any application that delivers Web content. For instance, a user could open Windows Media Player on a Firefox browser and still get (as they say in the hacker world) "pwned" by malicious entities.
 
In this case, it appears Microsoft thought it'd rather be safe than sorry...or be spending time issuing patches that could be circumvented anyway.
 
Symantec Fixes Windows Issue, Takes Dig at Microsoft
Security services giant Symantec has acknowledged in a Knowledge Base article that there were "Network Path Not Found" error messages and other glitches in older versions of Symantec Endpoint Protection running on Windows servers.

On the same day that Symantec issued its fix, the company's CEO Enrique Salem reiterated to the The Australian that while his company takes Redmond's new Security Essentials software seriously, Symantec is still "the world leader in security," and may be in a better position than Microsoft in the security space.

Specifically, Salem said a new security deal for Amazon's cloud computing products and his company's steady dominance in enterprise security would sustain it against Microsoft, which he didn't think would encroach on Symantec's market share any time soon.