Future zero-day attacks using flaws in Microsoft's Office productivity suite will likely be foiled by security features in Windows Vista, one researcher argued last week.
While dozens of vulnerabilities--many of them previously unknown--have plagued Microsoft's Office team this year, Windows users upgrading to Vista will have a lot less to worry about, Thomas Dullien, head of research for reverse-engineering tool maker Sabre Security, said in a post to his blog. Specifically, because Microsoft has added Address Space Layout Randomization (ASLR) to the Windows operating system, attackers will not be able to create reliable exploits using file-format vulnerabilities, he said.
"As a result of this, client-side bugs in MS Office are approaching their expiration date," Dullien, also known in the security world as "Halvar Flake," said in his post. "Not quickly, as most customers will not switch to Vista immediately, but they are showing the first brown spots, and will at some point start to smell."
Microsoft's Office products has become a popular target for attacks utilizing zero-day vulnerabilities--those flaws that take the security community by surprise. Microsoft has fixed a number of flaws in the applications that make up Office, including Excel, Word and PowerPoint.
In responding to comments over the weekend about the post, Dullien wrote that attacks aimed at penetrating a company's network defenses might still succeed, but figuring out information about specific clients in the company might still be difficult.
Posted by: Robert Lemos