March 24, 2008 8:11 AM PDT

Microsoft probes Word flaw that permits targeted attacks

by Martin LaMonica
  • Font size
  • Print
  • 4 comments

Microsoft is looking into a vulnerability that could affect Word, the company said Monday.

Overall, Microsoft said, it believes the vulnerability's risk is limited because its requires people to take multiple steps for the hack to be successful. Microsoft said it is only aware of targeted attacks that take advantage of the flaw.

The vulnerability is in Microsoft's Jet Database engine, which can be exploited through Word. Microsoft is investigating whether other applications can also exploit the vulnerability.

According to Microsoft's security alert:

Customers running Windows Server 2003 Service Pack 2, Windows Vista, and Windows Vista Service Pack 1 are not vulnerable to the buffer overrun being attacked, as they include a version of the Microsoft Jet Database Engine that is not vulnerable to this issue.

Customers using Microsoft Word 2000 Service Pack 3, Microsoft Word 2002 Service Pack 3, Microsoft Word 2003 Service Pack 2, Microsoft Word 2003 Service Pack 3, Microsoft Word 2007, and Microsoft Word 2007 Service Pack 1 on Microsoft Windows 2000, Windows XP, or Windows Server 2003 Service Pack 1 are vulnerable to these attacks.

People who believe they have been attacked can go to the Microsoft Web site for support.

Martin LaMonica is a senior writer for CNET's Green Tech blog. He started at CNET News in 2002, covering IT and Web development. Before that, he was executive editor at IT publication InfoWorld. E-mail Martin.
Topics:

Security,

Microsoft

Tags:

security,

Word,

Microsoft

Share:
Digg
Del.icio.us
Reddit
Recent posts from News Blog
Nvidia puts NForce chipset development on hold
Opera 10 browser is here
Neil Young Archives Blu-ray: Rip off?
Acronis revises survey results about backup habits
Acronis miscalculates data on users' bad backup habits
Flickr co-founder presses beta button
Comcast, Sony open retail store
Cox to try coaxing the Internet into submission
Related
So, is it safe to tweet now?
Firefox, Adobe top buggiest-software list
Using Facebook and Twitter safely
Amazon EC2 cloud service hit by botnet, outage
Rank your favorite songs with Rank'em
Microsoft plugs zero-day IE hole
RockYou sued over data breach
Microsoft rebuts IIS vulnerability claims
Add a Comment (Log in or register) (4 Comments)
  • prev
  • 1
  • next
Correction
by rmva March 24, 2008 8:50 AM PDT
"Customers running Windows Server 2003 Service Pack 2, Windows Vista, and Windows Vista Service Pack 1 are not vulnerable to the buffer overrun being attacked, as they include a version of the Microsoft Jet Database Engine that is not vulnerable to this issue."
Reply to this comment
It would be helpful to most readers
by suyts March 24, 2008 10:30 AM PDT
to specifically list WHAT "steps" are involved in allowing a hack to be successful.
Reply to this comment
typical
by Dalkorian March 24, 2008 2:28 PM PDT
Let me get this straight. Word, which is (supposed to be) a word
processing application can be used to attack the database
engine?

We *MUST* be talking about M$ here, not because of the names
of the programs but because of the simple ridiculousness of a
database engine being so vulnerable to attack that you can use a
word processor to do it!

What were these monkeys smoking when they wrote this trash
anyway?
Reply to this comment
I suppose you only use a word processor
by suyts March 24, 2008 3:58 PM PDT
to write letters. For those of us that enjoy a little more functionality from our programs, we expect Word to have access to our databases. To make it simple it goes something like this; Word process with e-mail. E-mail = access to database. Database is, of course, tied to the engine. Yeh, why would anyone allow a word processor access to a db engine, you can just hire a few hundred more clerks to write letters and forms that one can do today.
(4 Comments)
  • prev
  • 1
  • next
advertisement

15 sites that went kaput in 2009

Web sites launch all the time, but they also shut their doors. We highlight 15 that bit the dust this year.

Top 10 news stories of the decade

Let the debate begin: Was the iPhone more important than iTunes? Was anything bigger than Google finding a great business model? CNET offers its list of the 10 most important stories of the '00s.

About News Blog

Recent posts on technology, trends, and more.

Add this feed to your online news reader

advertisement
advertisement

Inside CNET News

Scroll Left Scroll Right
News
News site map
Latest headlines
Contact News
News staff
Corrections
CNET blogs
Popular topics
Apple iPhone
Apple iPod
Cell phones
CES 2010
GPS
LCD TV
CNET sites
CNET Site map
CNET TV
Downloads
News
Reviews
Shopper.com
More information
Newsletters
CNET Mobile
Customer Help Center
RSS
CNET Widgets
About CNET