Microsoft Word faces triple threat

Security researchers uncovered three separate vulnerabilities within Microsoft’s Word software package last month, any of which could allow a hacker to gain control of a victim’s computer.

  • E-Mail
By  Administrator Published  December 31, 2006

Security researchers uncovered three separate vulnerabilities within Microsoft’s Word software package last month, any of which could allow a hacker to gain control of a victim’s computer.

Microsoft released details of the first flaw on 6 December, and revealed  it affected both PC and Mac versions of the software, and would allow hackers to run their own code.

The versions affected include the 2000, 2002, 2003 Windows versions, the 2003 Word Viewer, Word 2004 and 2004 v.X for Macs, and Works 2004, 2005 and 2006.

The software giant issued no details on how the exploit works, saying only: “When a user opens a specially crafted Word file using a malformed string, it may corrupt system memory that an attacker could execute arbitrary code.”

The second flaw, which came to light on 11 December is another memory control bug, according to researchers at the Microsoft Security Response Center (MSRC).

“From the initial reports we can confirm that the vulnerability is being exploited on a very, very limited and targeted basis,” said Scott Deacon of the MSRC.

Researchers at the United States Computer Emergency Readiness Team (US-CERT) revealed the discovery of a third flaw on 15 December, saying: “Do not open unfamiliar or unexpected Word or other Office documents, particularly those hosted on web sites or delivered as email attachments. Do not rely on file name extension filtering: in most cases, Windows will call Word to open a document even if the document has an unknown file extension.”

At the time of going to press, Microsoft had not issued patches for any of the vulnerabilities listed.

Add a Comment

Your display name This field is mandatory

Your e-mail address This field is mandatory (Your e-mail address won't be published)

Security code