December 10, 2008 3:27 PM PST

Microsoft looking into WordPad zero-day flaw

by Robert Vamosi
  • Font size
  • Print
  • 11 comments

Microsoft is investigating reports of a flaw in the WordPad Text Converter for Word 97 files, the company said on Tuesday. A Microsoft blog stated "we are aware of very limited and targeted attacks seeking to exploit this vulnerability."

On Wednesday security researchers reported finding a zero-day flaw affecting Microsoft Internet Explorer 7.

According to Microsoft Security Advisory 960906, the flaw only affects users of Windows 2000 Service Pack 4, Windows XP Service Pack 2, Windows Server 2003 Service Pack 1, and Windows Server 2003 Service Pack 2. This issue does not affect Windows XP Service Pack 3, Windows Vista, and Windows Server 2008.

When Microsoft Office Word is installed, Word 97 documents are set by default to open using Microsoft Office Word. Microsoft said Word is not affected by this vulnerability. However, an attacker could rename any malicious file to have a Windows Write (.wri) extension; the malicious file could invoke WordPad. An attacker who successfully exploited this vulnerability could gain the same user rights as the local user.

The flaw cannot be exploited automatically through e-mail, however. For an attack to be successful, a user must open an e-mail attachment. Microsoft notes that the .wri file type can be blocked at the Internet perimeter.

Microsoft issued its standard disclaimer stating it is investigating the issue and would act upon completion of that investigation. Among the solutions, Microsoft could issue a service pack, include a bulletin in its next monthly security update, or issue an out-of-cycle security update depending on the severity of the issue.

As CNET's resident security expert, Robert Vamosi has been interviewed on the BBC, CNN, MSNBC, and other outlets to share his knowledge about the latest online threats and to offer advice on personal and corporate security. Listen to his podcast at securitybites.cnet.com or e-mail Robert with your questions and comments.
Topics:

News,

Vulnerabilities & attacks

Tags:

security,

Microsoft. Wordpad,

Word,

exploit,

Patch Tuesday. zero day

Share:
Digg
Del.icio.us
Reddit
Recent posts from Security
More attacks expected on Facebook, Twitter in 2010
GSM crypto code cracked, engineer says
Web-based Lookout protects mobile devices, data
Hackers claim to crack Kindle copyright armor
Using Facebook and Twitter safely
Report: FBI investigating Citibank cyberattack
White House appoints cybersecurity chief
So, is it safe to tweet now?
Related
Microsoft plugs zero-day IE hole
Firefox, Adobe top buggiest-software list
Adobe to patch zero-day Reader, Acrobat hole
Symantec confirms zero-day Acrobat, Reader attack
Mozilla pushes back Firefox 3.6, 4.0 deadlines
Week in review: A matter of antitrust
The best of Windows 7's new interface features
Microsoft to plug critical IE hole targeted by exploit code
Add a Comment (Log in or register) (11 Comments)
  • prev
  • 1
  • next
by Mr. Dee December 10, 2008 5:12 PM PST
I am using Windows 7, so I am more than safe. :)
Reply to this comment
by Dalkorian December 11, 2008 3:41 PM PST
lol
by Hep Cat December 10, 2008 6:17 PM PST
It's funny - I could have sworn I read an article on C|Net yesterday that said this sort of thing isn't Microsoft's fault.
Reply to this comment
by Vegaman_Dan December 10, 2008 6:18 PM PST
*.wri files? Wow, that's pretty obsolete. I wasn't aware anyone even used those. The world works with TXT and DOC files. WRI?

Might want to try to go for something a little more mainstream.
Reply to this comment
by timber2005 December 11, 2008 8:52 AM PST
But they couldn't explot those ;)
by December 11, 2008 3:41 AM PST
Microsoft engineers are hard at work as I type working on a text virus. It is about the only file type left they haven't created one for.
Reply to this comment
by ncaissie December 11, 2008 4:49 AM PST
Your an idiot
by jinx101a December 11, 2008 7:05 AM PST
I second ncaissie's thoughts.
by timber2005 December 11, 2008 8:53 AM PST
And while Microsoft is doing that, we are attemptnig to educate our youth so they don't end up as pitiful as you.

Microsoft engineers developing a virus... they have better things to do.
by patch991 December 11, 2008 8:48 AM PST
Here, here!!
Reply to this comment
by timber2005 December 11, 2008 8:58 AM PST
The solution to me seems simple.
If they are using Win2000, Sever 2003 (any SP), Microsoft needs to put out an extra security update to patch the flaw.
If they are using XP (SP0-SP2), tell them to upgrade to SP3. It's been out a year, time to move up.
Though taking the bits out of SP3 and making them a patch for this wouldn't be hard, it just seems redundant when someone does upgrade to SP3. Its supposed to be a rollup of patches and other fixes, not a bunch of fixes cut up for users who can't commit to the full package. (It does help companies though).
Reply to this comment
(11 Comments)
  • prev
  • 1
  • next
advertisement

15 sites that went kaput in 2009

Web sites launch all the time, but they also shut their doors. We highlight 15 that bit the dust this year.

Top 10 news stories of the decade

Let the debate begin: Was the iPhone more important than iTunes? Was anything bigger than Google finding a great business model? CNET offers its list of the 10 most important stories of the '00s.

About Security

Online security is threatened by more than hacking and phishing attempts. Check here for the latest updates on software vulnerabilities, data leaks, and rapidly spreading viruses--and learn how to protect your systems.

Add this feed to your online news reader

Security topics

advertisement
advertisement

Inside CNET News

Scroll Left Scroll Right
News
News site map
Latest headlines
Contact News
News staff
Corrections
CNET blogs
Popular topics
Apple iPhone
Apple iPod
Cell phones
CES 2010
GPS
LCD TV
CNET sites
CNET Site map
CNET TV
Downloads
News
Reviews
Shopper.com
More information
Newsletters
CNET Mobile
Customer Help Center
RSS
CNET Widgets
About CNET