Reports are coming out about a possible security problem with the beta releases of Office 2007 – which makes for a good headline but really is NOT true.
Reports are coming out about a possible security problem with the beta releases of Office 2007 – which makes for a good headline but really is NOT true.
The problem concerns the VML processing system – VML stands for Vector Markup Language which is way to describe images as XML code on a web page instead of downloading a separate image (bitmap). Details here.
VML images appear not only on web pages but also HTML formatted emails. Since Office can deal with email messages (Outlook) as well as web pages there is a chance of this exploit being accessed via Office products.
However the core code that is at fault is vgx.dll which is supplied with Windows – not Office. While Office is involved, that’s only because it uses this Windows technology, just like many other programs.
According to Microsoft the affected software is:
- Windows 2000 Service Pack 4
- Windows XP Service Pack 1 and Service Pack 2
- Windows XP Professional x64 Edition
- Windows Server 2003 and Microsoft Windows Server 2003 Service Pack 1
- Windows Server 2003 with SP1 for Itanium-based Systems Edition
- Windows Server 2003 x64 Edition
There is no patch yet available – Microsoft is aiming to put it in the next patch release around 10 October 2006.
There are now reports of web sites exploiting this problem to drop unwanted software onto computers so it might not take long for nasty emails to start appearing. Looks like Microsoft might have to move faster for the release of a patch.
We have a concern about the possible use of this exploit via HTML email.
ARE EMAIL MESSAGES AT RISK?
Reading between the lines of Microsoft’s carefully worded announcement it seems possible for this exploit to be used in a HTML email message that appears in the preview pane of Outlook (or any other program that uses the Windows/IE systems to display HTML.
That is a serious possibility because most people initially view messages via the preview pane, if a computer could be infected just by clicking on the message to peek at the contents then a nastie could spread very quickly.
That scenario would explain why Microsoft has a recommendation (buried deep in the web page) to view all email messages in plain text only.
Whether you wish to do that is up to you. Plain text renderings of HTML emails are often very hard to read and you might feel that’s too much trouble.
Other options are listed on the Microsoft announcement – one involves unregistering / disabling the link to vgx.dll but that might cause some programs to misbehave.
We stress that the preview pane infection possibility is not proven – but it seems likely given the nature of the security gap in Windows and the specific recommendation from Microsoft. We don’t want to be alarmist but we feel it’s fair to warn our readers of the possibility.
