Office Web Components Under Security Investigation

Microsoft is carrying out a security investigation into problems with its Microsoft Office Web Components, a client-side technology for making Web pages more dynamic that has come to be used in many companies' server-side applications.

The problem is serious enough that Microsoft has removed the download page for the Office XP version of the tool and replaced it with this text:
"Microsoft has temporarily removed the Office Web Components while we conduct an investigation of potential security vulnerabilities. At the completion of our investigation, the OWC will be reposted."

The Microsoft Office Web Components were developed as client-side Active X controls for use within Internet Explorer to provide Web developers with spreadsheet, charting, and pivot table capabilities.

In a February Microsoft Knowledge Base article, however, Microsoft acknowledged that many developers included them in server-side solutions, such as in Active Server Pages or COM+ to build and export charts. At the time Microsoft warned that the server-side approach could disrupt stability and performance of server code.

Microsoft's first widespread alert that there was a problem with OWC came in the bulletin offering patches for four problems with Commerce Server last week. Two of the four problems addressed by the bulletin involved issues surrounding the OWC package installer. Although two vulnerabilities in that patch were critical, both OWC package installer problems were rated moderate.

The Commerce Server patch merely changes some configuration settings that involve the OWC installer rather than fixing the unchecked buffer condition that is at the root of the security problems.

"There is a security investigation currently underway regarding the Office Web Components. Because of that, we felt it was not appropriate to ship a security patch that contained a component that potentially suffers from a different, unrelated security issue. On the other hand, we felt it was not appropriate for these issues to remain unaddressed while we continue that investigation," Microsoft's security bulletin on Commerce Server reads.

Microsoft plans to fully patch the OWC package installer overruns once the general OWC investigation is complete.

About the Author

Scott Bekker is editor in chief of Redmond Channel Partner magazine.


  • Microsoft Previews Windows VM Authentications via Azure Active Directory

    Microsoft on Thursday announced a preview of remote authentications into Windows-based Azure virtual machines (VMs) using Azure AD credentials.

  • Windows Server 20H1 Getting Smaller Containers and Faster PowerShell

    Microsoft is promising to deliver a smaller container size and improved PowerShell performance with its next release of Windows Server.

  • Microsoft Previews Microsoft Teams for Linux

    Microsoft on Tuesday announced a "limited preview" release of Microsoft Teams for certain Linux desktop operating systems.

  • Hyper-V Architecture: Some Clarifications

    Brien answers two thought-provoking reader questions. First, do Hyper-V VMs have direct hardware access? And second, how is it possible to monitor VM resource consumption from the host operating system?

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.