Redmond (ip-192.com): Three of the critical vulnerabilities Microsoft patched Tuesday in ActiveX controls for Office were first reported to the company two years ago, according to security firm Zero Day Initiative (ZDI).
All three of the bugs were reported by ZDI, a bug bounty program run by TippingPoint Technologies, a 3Com company. The trio were among a total of four vulnerabilities Microsoft patched Tuesday in its Office Web Components (OWC), a set of ActiveX controls that let users publish Word, Excel and PowerPoint documents on the Web, then view them using Internet Explorer (IE).
On July 13, 2009, a day before that month's security updates were slated to release, Microsoft issued an advisory that warned users of ongoing attacks against IE users. That same day, U.K.-based security company Sophos said it had uncovered multiple Web sites, many of them hosted on Chinese domains that were serving up the ActiveX exploit as part of a multi-strike attack toolkit.
Microsoft defended its patch process. "Every vulnerability is different and has its own unique challenges," so Christopher Budd, a spokesman for the Microsoft Security Research Center. "Providing a quality, timely update to customers is of the utmost importance to Microsoft. As such, the company will only release updates after they've gone through a disciplined, rigorous development and testing process."
Recent Comments