Office Web Components Under Security Investigation

Microsoft is carrying out a security investigation into problems with its Microsoft Office Web Components, a client-side technology for making Web pages more dynamic that has come to be used in many companies' server-side applications.

The problem is serious enough that Microsoft has removed the download page for the Office XP version of the tool and replaced it with this text:
"Microsoft has temporarily removed the Office Web Components while we conduct an investigation of potential security vulnerabilities. At the completion of our investigation, the OWC will be reposted."

The Microsoft Office Web Components were developed as client-side Active X controls for use within Internet Explorer to provide Web developers with spreadsheet, charting, and pivot table capabilities.

In a February Microsoft Knowledge Base article, however, Microsoft acknowledged that many developers included them in server-side solutions, such as in Active Server Pages or COM+ to build and export charts. At the time Microsoft warned that the server-side approach could disrupt stability and performance of server code.

Microsoft's first widespread alert that there was a problem with OWC came in the bulletin offering patches for four problems with Commerce Server last week. Two of the four problems addressed by the bulletin involved issues surrounding the OWC package installer. Although two vulnerabilities in that patch were critical, both OWC package installer problems were rated moderate.

The Commerce Server patch merely changes some configuration settings that involve the OWC installer rather than fixing the unchecked buffer condition that is at the root of the security problems.

"There is a security investigation currently underway regarding the Office Web Components. Because of that, we felt it was not appropriate to ship a security patch that contained a component that potentially suffers from a different, unrelated security issue. On the other hand, we felt it was not appropriate for these issues to remain unaddressed while we continue that investigation," Microsoft's security bulletin on Commerce Server reads.

Microsoft plans to fully patch the OWC package installer overruns once the general OWC investigation is complete.

About the Author

Scott Bekker is editor in chief of Redmond Channel Partner magazine.


  • Surface and ARM: Why Microsoft Shouldn't Follow Apple's Lead and Dump Intel

    Microsoft's current Surface flagship, the Surface Pro X, already runs on ARM. But as the ill-fated Surface RT showed, going all-in on ARM never did Microsoft many favors.

  • IT Security Isn't Supposed To Be Easy

    Joey explains why it's worth it to endure a little inconvenience for the long-term benefits of a password manager and multifactor authentication.

  • Microsoft Makes It Easier To Self-Provision PCs via Windows Autopilot When VPNs Are Used

    Microsoft announced this week that the Windows Autopilot service used with Microsoft Intune now supports enrolling devices, even in cases where virtual private networks (VPNs) might get in the way.

  • Most Microsoft Retail Locations To Shut Down

    Microsoft is pivoting its retail operations to focus more on online sales, a plan that would mean the closing of most physical Microsoft Store locations.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.