Office Web Components Under Security Investigation
- By Scott Bekker
Microsoft is carrying out a security investigation into problems with its Microsoft Office Web Components, a client-side technology for making Web pages more dynamic that has come to be used in many companies' server-side applications.
The problem is serious enough that Microsoft has removed the download page for the Office XP version of the tool and replaced it with this text:
"Microsoft has temporarily removed the Office Web Components while we conduct an investigation of potential security vulnerabilities. At the completion of our investigation, the OWC will be reposted."
The Microsoft Office Web Components were developed as client-side Active X controls for use within Internet Explorer to provide Web developers with spreadsheet, charting, and pivot table capabilities.
In a February Microsoft Knowledge Base article, however, Microsoft acknowledged that many developers included them in server-side solutions, such as in Active Server Pages or COM+ to build and export charts. At the time Microsoft warned that the server-side approach could disrupt stability and performance of server code.
Microsoft's first widespread alert that there was a problem with OWC came in the bulletin offering patches for four problems with Commerce Server last week. Two of the four problems addressed by the bulletin involved issues surrounding the OWC package installer. Although two vulnerabilities in that patch were critical, both OWC package installer problems were rated moderate.
The Commerce Server patch merely changes some configuration settings that involve the OWC installer rather than fixing the unchecked buffer condition that is at the root of the security problems.
"There is a security investigation currently underway regarding the Office Web Components. Because of that, we felt it was not appropriate to ship a security patch that contained a component that potentially suffers from a different, unrelated security issue. On the other hand, we felt it was not appropriate for these issues to remain unaddressed while we continue that investigation," Microsoft's security bulletin on Commerce Server reads.
Microsoft plans to fully patch the OWC package installer overruns once the general OWC investigation is complete.
Scott Bekker is editor in chief of Redmond Channel Partner magazine.