By Gregg Keizer
Dec 6, 2006
Microsoft warned Mac and Windows users of its popular word processor
Word that attackers are exploiting an unpatched flaw in the program's
file format. A security research firm said the attacks will likely
Tuesday, Microsoft posted a security advisory that acknowledged
specially crafted Word documents could be used to seize a computer, and
offered a defensive recommendation. "Do not open or save Word files that
you receive from untrusted sources or that are received unexpectedly
from trusted sources," Microsoft said in the advisory.
Word 2000, 2002, and 2003 are vulnerable, noted Microsoft, as are
Microsoft Works 2004, 2005, and 2006 since those bundles also include
Word, and Word Viewer 2003, a free-of-charge utility aimed at users who
don't own Word but need to view and print documents in the program's
native file format. Users of Word 2004 for Mac and Word 2004 v. X for
Mac are also at risk.
"We're not seeing any widespread outbreak," says Vince Hwang, a group
product manager with Symantec's security response team. "Instead, we
expect that it will be used in targeted attacks against individuals."
Although Microsoft doesn't rate its advisories, others have pegged the
new zero-day as critical. Danish vulnerability tracker Secunia, for
example, labeled the new flaw as "extremely critical," the top-most
ranking in its five-step scoring system.
Attackers could leverage the bug by enticing users to a malicious Web
site and then convincing them to download and open a malformed Word
document. More likely, however, would be e-mailed attacks; opening a
malicious attachment could compromise the Mac or PC.
Microsoft is investigating, and as is its practice, said it might
provide a patch but didn't specify a timeline. "Microsoft will take the
appropriate action to help protect our customers [which] may include
providing a security update through our monthly release process or
providing an out-of-cycle security update." The company's next security
updates are scheduled next week, Dec. 12.
This is the second major Microsoft Word zero-day exploit in 2006; in
May, a Chinese-based attack hit one or more enterprises using another
flaw in the Word file format. Microsoft patched that bug in mid-June.
"It's not clear whether this [attack] is being done by the same
[group]," says Hwang. "But it's part of the trend in the increase in
zero-days that we've seen this year."
After the May attack using Word, follow-on assaults were conducted by
cyber criminals using new-found flaws in other Microsoft Office
applications, including its Excel spreadsheet and PowerPoint
presentation maker. This summer, experts laid the blame on sophisticated
hackers who were using advanced "fuzzing" tools to sniff out
previously-undetected vulnerabilities in file formats.
"This is all part of the much wider use of fuzzing," says Hwang.
If history is any indicator, Microsoft will not patch the Word
vulnerability in December. The company took 26 days to patch the May
flaw, for instance, 118 days to fix a similar Excel format bug, and 27
to patch PowerPoint.
Subscribe to InfoSec News