Microsoft Issues Alert on New Word Vulnerability
Microsoft Corp., on March 21, 2008, warned that a critical bug affects any computer with Word operating on Windows 2000, Server 2003 SP1, and Windows XP. The warning comes after several weeks since PandaLabs, an online security company, first reported an exploit on March 3, 2008 and one day after another vendor confirmed the ongoing attacks.
Microsoft has acknowledged the public reports about a small number of targeted attacks found to exploit vulnerability in the Microsoft Jet Database Engine, a part of Windows that provides access to data on applications such as Microsoft Visual Basic and Access. However, Symantec Corp notes that Microsoft described the attacks that used malware-loaded Word 2000, 2002, 2003 and 2007 documents that in turn encourage the vulnerable Jet.dll.
Ismael Briones, a researcher with PandaLabs, had written about the bug in a blog on March 3, 2008, but said that Microsoft rejected it saying that he reported an exploit of in-the-wild type, as reported by ComputerWorld on March 22, 2008.
Briones further said that Microsoft had replied that it would not plug these mdb holes as apparently, the company would not acknowledge flaws from .mdb files. It had said that Briones appeared to report a problem with a kind of file that Microsoft considers as unsafe. Many applications such as Outlook and Internet Explorer automatically filter these files.
Further, researchers at Symantec studied an exploit capable of blocking the .mdb type file in Outlook by simply changing the file's name to an acceptable format for the e-mail system. In fact, msjet40.dll can be directly called from Word without the need to use Access. In this kind of attack, the .doc file relies on mail-merge features to import a data file and thus, effectively compels Jet to install the malware-laced Access sample.
But, Microsoft said that people using Word on computers running Windows Server 2003 SP2 and Vista are not affected because these operating systems have a different edition of Jet.
Albeit Microsoft regarded the severity of the threat as low, Bill Sisk, Spokesman for the company, confirmed that work was on to develop a patch, as reported by ComputerWorld on March 22, 2008.
Related article: Microsoft Patches Live OneCare to Tackle Quarantined E-Mails
» SPAMfighter News - 29-03-2008