Microsoft Word Gets A New Flaw
While opening 'Microsoft Office' attachments, there is yet another reason to be careful about. On December 5, 2006, Microsoft warned of a new, un-patched 'memory corruption error' it found in its 'word-processing' software. The company said there was an investigation ongoing on reports of "limited" attacks that take advantage of the problem.
Microsoft's public relations firm said in an e-mail statement that the company has come to know about "limited zero-day" attacks exploiting a vulnerability in 'Microsoft Word 2000', 'Microsoft Word 2002', 'Microsoft Office Word 2003', 'Microsoft Word Viewer 2003', 'Microsoft Word 2004' for Mac and 'Microsoft Word 2004 v. X' for Mac, and also 'Microsoft Works 2004, 2005, and 2006.
Security firm 'FrSIRT' rated the vulnerability in Microsoft Word as "critical" and explained in an advisory that attackers could exploit it to gain complete control of an affected system. The flaw results from a 'memory corruption error' while handling a malformed document. Attackers could exploit it to give arbitrary commands by duping a user into viewing a specially crafted Word document.
Microsoft has not made available any 'pre-patch workarounds'. However, in a security bulletin, it suggests users to desist from opening or saving Word files, even if they came from trusted sources. To be safe, users should always maintain caution when opening e-mails with unsolicited attachments from both known and unknown people.
Microsoft assured that after the investigation was complete, it will take appropriate steps for the protection of its customers. This may include producing a 'security update' through its 'monthly release process' or even an "out of cycle" security update according to the urgency of customer needs.
Since automatic security updates have become common, attackers now focus more on developing attacks that target on such un-patched flaws in the software. These attacks are sometimes called '0day attacks'. This process has compelled Microsoft to design an increasing number of software updates in recent months.
Hackers have particularly turned their attention to Microsoft's Office products. Some researchers think them to be more active source of bugs than the Windows operating system.
This 'zero-day' attack in Microsoft Word is the second major one in 2006.
Related article: Microsoft Patches Live OneCare to Tackle Quarantined E-Mails
» SPAMfighter News - 12-12-2006