Software // Enterprise Applications
News
12/6/2006
02:06 PM
Connect Directly
RSS
E-Mail
50%
50%

New Word Zero-Day Attacks Begin

Microsoft acknowledged that specially crafted Word documents could be used to seize a computer, and urged users to use care when opening Word files sent by untrusted sources or that are received unexpectedly from trusted sources.

Microsoft warned Mac and Windows users of its popular word processor Word that attackers are exploiting an unpatched flaw in the program's file format. A security research firm said the attacks will likely remain limited.

Tuesday, Microsoft posted a security advisory that acknowledged specially crafted Word documents could be used to seize a computer, and offered a defensive recommendation. "Do not open or save Word files that you receive from untrusted sources or that are received unexpectedly from trusted sources," Microsoft said in the advisory.

Word 2000, 2002, and 2003 are vulnerable, noted Microsoft, as are Microsoft Works 2004, 2005, and 2006 since those bundles also include Word, and Word Viewer 2003, a free-of-charge utility aimed at users who don't own Word but need to view and print documents in the program's native file format. Users of Word 2004 for Mac and Word 2004 v. X for Mac are also at risk.

"We're not seeing any widespread outbreak," says Vince Hwang, a group product manager with Symantec's security response team. "Instead, we expect that it will be used in targeted attacks against individuals."

Although Microsoft doesn't rate its advisories, others have pegged the new zero-day as critical. Danish vulnerability tracker Secunia, for example, labeled the new flaw as "extremely critical," the top-most ranking in its five-step scoring system.

Attackers could leverage the bug by enticing users to a malicious Web site and then convincing them to download and open a malformed Word document. More likely, however, would be e-mailed attacks; opening a malicious attachment could compromise the Mac or PC.

Microsoft is investigating, and as is its practice, said it might provide a patch but didn't specify a timeline. "Microsoft will take the appropriate action to help protect our customers [which] may include providing a security update through our monthly release process or providing an out-of-cycle security update." The company's next security updates are scheduled next week, Dec. 12.

This is the second major Microsoft Word zero-day exploit in 2006; in May, a Chinese-based attack hit one or more enterprises using another flaw in the Word file format. Microsoft patched that bug in mid-June.

"It's not clear whether this [attack] is being done by the same [group]," says Hwang. "But it's part of the trend in the increase in zero-days that we've seen this year."

After the May attack using Word, follow-on assaults were conducted by cyber criminals using new-found flaws in other Microsoft Office applications, including its Excel spreadsheet and PowerPoint presentation maker. This summer, experts laid the blame on sophisticated hackers who were using advanced "fuzzing" tools to sniff out previously-undetected vulnerabilities in file formats.

"This is all part of the much wider use of fuzzing," says Hwang.

If history is any indicator, Microsoft will not patch the Word vulnerability in December. The company took 26 days to patch the May flaw, for instance, 118 days to fix a similar Excel format bug, and 27 to patch PowerPoint.

Comment  | 
Print  | 
More Insights
Building A Mobile Business Mindset
Building A Mobile Business Mindset
Among 688 respondents, 46% have deployed mobile apps, with an additional 24% planning to in the next year. Soon all apps will look like mobile apps and it's past time for those with no plans to get cracking.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Must Reads Oct. 21, 2014
InformationWeek's new Must Reads is a compendium of our best recent coverage of digital strategy. Learn why you should learn to embrace DevOps, how to avoid roadblocks for digital projects, what the five steps to API management are, and more.
Video
Slideshows
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
A roundup of the top stories and trends on InformationWeek.com
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.