MS issues Word hack warning for PCs and Macs

Microsoft has issued a security bulletin warning users of its Word and Works office software not to open Word documents from untrusted sources – or “unexpected” documents from trusted sources.

  • E-Mail
By  Eliot Beer Published  December 7, 2006

Microsoft has issued a security bulletin warning users of its Word and Works office software not to open Word documents from untrusted sources – or “unexpected” documents from trusted sources. The vulnerability exists in most of the current versions of Word – which is usually sold as part of Microsoft Office – for both PCs and Apple Macs. These include the 2000, 2002, 2003 Windows versions, the 2003 Word Viewer, Word 2004 and 2004 v.X for Macs, and Works 2004, 2005 and 2006. “Do not open or save Word files that you receive from un-trusted sources or that you receive unexpectedly from trusted sources. This vulnerability could be exploited when a user opens a specially crafted Word file,” said Microsoft in its security advisory notice. The software giant issued no details on how the exploit works, saying only: “When a user opens a specially crafted Word file using a malformed string, it may corrupt system memory in such a way that an attacker could execute arbitrary code.” Microsoft also said: “An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less affected than users who operate with administrative user rights.” The firm said it was currently working on a patch, but did not say when this would be released. It is likely the patch will be issued in the forthcoming Patch Tuesday round of updates, scheduled for 12 December. Until then, Word and Works users are advised to verify any ‘.doc’ format documents they receive, even from known and trusted sources. Microsoft’s advisory is here.

Add a Comment

Your display name This field is mandatory

Your e-mail address This field is mandatory (Your e-mail address won't be published)

Security code