Chaouki Bekrar, CEO and director of research at VUPEN, says the flaw is a heap corruption vulnerability that, if exploited, would let an attacker run arbitrary code on the victim's machine and take over the machine once the user opened a specially crafted Office document. "We are currently verifying if the vulnerability affects previous versions of Office. What we have seen so far is that the vulnerable code is only present in Office 2010," Bekrar says.
VUPEN also has found a separate, potential bug in Word 2010. "But the analysis of this potential flaw to determine its exploitability is still ongoing," he says.
Even so, Bekrar says Office 2010 is much more secure than previous versions of the software. "What we can say after this research session is that Office 2010 is definitely more secure than previous Office versions. The use of new features like Office File Validation or Protected View makes the discovery and exploitation of vulnerabilities harder, but we managed to reliably execute arbitrary code via a specially crafted document," he says.
Jerry Bryant, group manager for response communications at Microsoft, says Microsoft is "aware" of the vulnerability discovery claim, but doesn't have the details to verify it. "To minimize risk to computer users, Microsoft continues to encourage responsible disclosure," Bryant says. "Reporting vulnerabilities directly to vendors helps ensure that customers receive comprehensive, high-quality updates before cybercriminals learn of -- and work to exploit -- a vulnerability. While there are many ways to protect customers from attacks, the creators of the product are in the best position to understand the general risk to the broader customer base and create updates to the product or service that protect everyone.
"Vulnerability-sharing programs that do not include the software vendor are risky programs and do not promote overall customer safety," he says.
So why didn't VUPEN alert Microsoft about the bug in Office 2010? Berkrar says VUPEN alerted its VUPEN Threat Protection Program customers, and it's still determining whether the bug affects older versions of Office. "Discovering and researching this vulnerability was a long process and an important investment for VUPEN, so accepting just to get our names in the credit section of a Microsoft advisory as a compensation for this huge research work is not enough," Bekrar says.
But VUPEN says Microsoft will "be informed at a later date" about the bug, he says. A link to VUPEN's public disclosure is here.
Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.