Microsoft probes Word flaw that permits targeted attacks

Microsoft is looking into a vulnerability that could affect Word, the company said Monday.

Overall, Microsoft said, it believes the vulnerability's risk is limited because its requires people to take multiple steps for the hack to be successful. Microsoft said it is only aware of targeted attacks that take advantage of the flaw.

The vulnerability is in Microsoft's Jet Database engine, which can be exploited through Word. Microsoft is investigating whether other applications can also exploit the vulnerability.

According to Microsoft's security alert:

Customers running Windows Server 2003 Service Pack 2, Windows Vista, and Windows Vista Service Pack 1 are not vulnerable to the buffer overrun being attacked, as they include a version of the Microsoft Jet Database Engine that is not vulnerable to this issue.

Customers using Microsoft Word 2000 Service Pack 3, Microsoft Word 2002 Service Pack 3, Microsoft Word 2003 Service Pack 2, Microsoft Word 2003 Service Pack 3, Microsoft Word 2007, and Microsoft Word 2007 Service Pack 1 on Microsoft Windows 2000, Windows XP, or Windows Server 2003 Service Pack 1 are vulnerable to these attacks.

People who believe they have been attacked can go to the Microsoft Web site for support.

[rmva]

Correction

"Customers running Windows Server 2003 Service Pack 2, Windows Vista, and Windows Vista Service Pack 1 are not vulnerable to the buffer overrun being attacked, as they include a version of the Microsoft Jet Database Engine that is not vulnerable to this issue."

[suyts]

It would be helpful to most readers

to specifically list WHAT "steps" are involved in allowing a hack to be successful.

[Dalkorian]

typical

Let me get this straight. Word, which is (supposed to be) a word
processing application can be used to attack the database
engine?

We *MUST* be talking about M$ here, not because of the names
of the programs but because of the simple ridiculousness of a
database engine being so vulnerable to attack that you can use a
word processor to do it!

What were these monkeys smoking when they wrote this trash
anyway?

[suyts]

I suppose you only use a word processor

to write letters. For those of us that enjoy a little more functionality from our programs, we expect Word to have access to our databases. To make it simple it goes something like this; Word process with e-mail. E-mail = access to database. Database is, of course, tied to the engine. Yeh, why would anyone allow a word processor access to a db engine, you can just hire a few hundred more clerks to write letters and forms that one can do today.