Possible Microsoft Office 2010 Security Issue
According to researchers at Vupen Security, there's a memory corruption flaw in Microsoft Office 2010 that could be used by an attacker to execute code: The company June 22 said it "created a code execution exploit which works with Office 2010 and bypasses DEP (Data Execution Prevention) and Office File Validation features." The bug, Vupen CEO Chaouki Bekrar told eWEEK, is caused by a heap corruption error when processing malformed data within an Excel document. "Exploiting this vulnerability is not trivial since many security features are enabled by default in Office 2010 including DEP ... Office File Validation and Protected View," Bekrar explained in an e-mail. "However, we have been able to reliably achieve code execution via a specially crafted Excel document." Microsoft is saying they do not have any knowledge of the details, however: "Microsoft is aware of a claimed vulnerability but does not have the details to validate the claim," Jerry Bryant, group manager of response communications at Microsoft, said in a statement. "To minimize risk to computer users, Microsoft continues to encourage responsible disclosure. Reporting vulnerabilities directly to vendors helps ensure that customers receive comprehensive, high-quality updates before cyber-criminals learn of—and work to exploit—a vulnerability." So it looks like the "jury" is still out on this one. But at any rate, enterprises using Office 2010 should keep a close eye on the situation.