Patch For Zero-Day Vulnerability Yet To Come
On 12th September 2006 Microsoft came up with patches for three security flaws in Office and Windows but failed to construct a patch to fix the 'Zero-day' vulnerability in Microsoft Word. Since Microsoft releases such patches every month, three patches in September is a trivial number. The three patches comprise two 'Windows' patches and one 'Office' patch. According to Microsoft the 'Office' vulnerability is critical and capable of posing high threat.
The real issues did not come in news, says Amol Sarwali, a research manager in Qualys, a vulnerability management firm. First there was no patch for Microsoft vulnerability on the whole possibly due to lack of enough time.
Last week Microsoft sent out a warning about a recently discovered security hole in Word 2000. This vulnerability was named 'Zero-day' vulnerability. Both the flaw and malware called 'Mdropper.Q' Trojan exploiting it were uncovered the same day. Microsoft said that it was working on the patch but could not assure the date of release. The flaw resembles the Office flaw that Microsoft has provided with a fix-it solution.
The new Office patch is made to plug the vulnerability in MS Publisher in Office 2000, XP and 2003. The flaw could have enabled a hacker to write a malicious publisher document using to gain total control of a system. Microsoft said that a hacker who could successfully exploit this loophole could get total command of an affected PC.
To prevent this exploit, Microsoft recommended its customers to load the update immediately. In addition, it has advised every user of 'Microsoft Office' to install the patch whether MS Publisher is loaded or not as there are some Office components, which use same files as that of MS Publisher.
One of the two Window's flaws for which Microsoft released patches this month could allow a hacker to access control of a system remotely while the other could leak out information.
The patches are available and downloadable from Microsoft Website and can be used by 'Windows Auto update users'. Experts ask users to update their anti-virus software till Microsoft releases a fix-it solution for the 'Zero-day' vulnerability.
Related article: Patch Issued To Fix WMF Flaw In OpenOffice.org
» SPAMfighter News - 19-09-2006