Microsoft Confirms New Word Vulnerability

By NewsFactor Network | December 12, 2006

Microsoft has confirmed that criminals are e-mailing Word attachments that contain malicious code, with two vulnerabilities in the ubiquitous word-processing software now being exploited.

The separate acknowledgements of the two flaws came about a week apart. Both flaws put users at risk. In the most recently reported vulnerability, a zero-day flaw, an attacker can run unauthorized software on a victim’s machine simply by having the message’s recipient open a Word document.

The vulnerability has been rated “extremely critical” by security firm Secunia because of its potential danger to users.

A similar bug was reported last week. According to Microsoft, neither bug will be patched in the latest round of software updates, known as Patch Tuesday. Microsoft has noted that both flaws are being exploited only on a very limited and targeted basis.

Office Mate

Over the past year, hackers have been increasingly interested in finding flaws in Microsoft’s Office suite. The popularity of applications like Excel and PowerPoint have led attackers to find flaws in those programs because they can reach such large numbers of users.

The recent Word flaws run the gamut of major versions of the software — including Word 2000, Word 2002, Word 2003, and Word Viewer 2003 — but does not affect Word 2007.

In an advisory, Microsoft noted that the most recent vulnerability is different from the other Word flaw found last week, also a zero-day vulnerability for which there is no patch, but did not go into specifics.

“Do not open or save Word files that you receive from untrusted sources or that you receive unexpectedly from trusted sources,” Microsoft warned.

Patch Work

Although Microsoft has drawn criticism in the blogosphere for not being speedier with a patch for the problems, Secunia Chief Technology Officer Thomas Kristensen noted that fixing a flaw like this in a program as popular as Word might take…

Bookmark and Share :-)