Microsoft Leaves Critical Word Flaws Unpatched
On Tuesday, Microsoft released its monthly round of patches to fix vulnerabilities in Windows and Office, but conspicuously absent were fixes for two known flaws in the widely used Microsoft Word application.
The vulnerabilities were first reported in December, and were ranked critical by security firms because they could be used by malicious hackers to gain complete control over a system.
An attacker could send a Word document and get access to a user’s system if the document is opened, said Thomas Kristensen, Secunia’s chief technology officer. But, he emphasized, attacks have been limited.
“Do not open or save Word files that you receive from untrusted sources or that you receive unexpectedly from trusted sources,” Microsoft warned last month.
Patch Work
In its monthly patch release, Microsoft published four security bulletins that addressed 10 vulnerabilities. These flaws are all related to Windows and Office applications, specifically focusing on how the software handles files.
Prior to the release of the security patches, attackers could have created special files that, when opened by end users, might have allowed the hackers to gain remote control of those PCs.
Much as it does with every update round, Microsoft also issued a recommendation that all customers enable Automatic Updates so the patches load automatically without requiring users to download them manually.
Although Microsoft initially had four more security bulletins planned for this first patch update of the year — for a total of eight altogether — the four bulletins were pulled from the lineup only days before the updates were to be released.
Long Process
The zero-day Word flaws that have remained unpatched should make users aware of their security systems and protocols, Kristensen noted, although they should not cause widespread alarm. It is likely that Microsoft has delayed the fixes because not enough work has been done on creating an effective patch, he…
