Microsoft acknowledged that specially crafted Word documents could be used to seize a computer, and urged users to use care when opening Word files sent by untrusted sources or that are received unexpectedly from trusted sources.
Microsoft warned Mac and Windows users of its popular word processor Word that attackers are exploiting an unpatched flaw in the program's file format. A security research firm said the attacks will likely remain limited.
Tuesday, Microsoft posted a security advisory that acknowledged specially crafted Word documents could be used to seize a computer, and offered a defensive recommendation. "Do not open or save Word files that you receive from untrusted sources or that are received unexpectedly from trusted sources," Microsoft said in the advisory.
Word 2000, 2002, and 2003 are vulnerable, noted Microsoft, as are Microsoft Works 2004, 2005, and 2006 since those bundles also include Word, and Word Viewer 2003, a free-of-charge utility aimed at users who don't own Word but need to view and print documents in the program's native file format. Users of Word 2004 for Mac and Word 2004 v. X for Mac are also at risk.
"We're not seeing any widespread outbreak," says Vince Hwang, a group product manager with Symantec's security response team. "Instead, we expect that it will be used in targeted attacks against individuals."
Although Microsoft doesn't rate its advisories, others have pegged the new zero-day as critical. Danish vulnerability tracker Secunia, for example, labeled the new flaw as "extremely critical," the top-most ranking in its five-step scoring system.
Attackers could leverage the bug by enticing users to a malicious Web site and then convincing them to download and open a malformed Word document. More likely, however, would be e-mailed attacks; opening a malicious attachment could compromise the Mac or PC.
Microsoft is investigating, and as is its practice, said it might provide a patch but didn't specify a timeline. "Microsoft will take the appropriate action to help protect our customers [which] may include providing a security update through our monthly release process or providing an out-of-cycle security update." The company's next security updates are scheduled next week, Dec. 12.
This is the second major Microsoft Word zero-day exploit in 2006; in May, a Chinese-based attack hit one or more enterprises using another flaw in the Word file format. Microsoft patched that bug in mid-June.
"It's not clear whether this [attack] is being done by the same [group]," says Hwang. "But it's part of the trend in the increase in zero-days that we've seen this year."
After the May attack using Word, follow-on assaults were conducted by cyber criminals using new-found flaws in other Microsoft Office applications, including its Excel spreadsheet and PowerPoint presentation maker. This summer, experts laid the blame on sophisticated hackers who were using advanced "fuzzing" tools to sniff out previously-undetected vulnerabilities in file formats.
"This is all part of the much wider use of fuzzing," says Hwang.
If history is any indicator, Microsoft will not patch the Word vulnerability in December. The company took 26 days to patch the May flaw, for instance, 118 days to fix a similar Excel format bug, and 27 to patch PowerPoint.
Building A Mobile Business MindsetAmong 688 respondents, 46% have deployed mobile apps, with an additional 24% planning to in the next year. Soon all apps will look like mobile apps – and it's past time for those with no plans to get cracking.