Office 2007 springs its first leak

Security vendor eEye has uncovered the first security vulnerability in Microsoft's Office 2007 productivity suite.

Microsoft launched Office 2007 on 30 January together with its Windows Vista operating system.

The suite is the first Office version to go through Microsoft's Security Development Lifecycle program that checks and guards against coding errors, and is expected to dramatically reduce the number of security flaws.

The new vulnerability affects Publisher 2007, a desktop publishing tool that is considered a low-end alternative to Adobe InDesign and QuarkXPress.

EEye claims that the flaw could allow an attacker to execute arbitrary code on a system at the same privilege level as the logged-in user.

Effectively this would allow an attacker to take control of a system running Windows XP. But it causes less of a threat to Vista because most users will not be running in administrator mode.

A Microsoft spokesperson said that the company had been notified about a potential vulnerability and is investigating the reports. Microsoft stressed that it is not aware of any attacks exploiting the flaw.

"Microsoft will continue to work with eEye to further understand this report as part of our standard Microsoft Security Response Center investigation process and will provide additional guidance for customers as necessary," said the spokesperson.