Another Word zero-day bug used in attacks

Watch out for malicious Word documents.

Another previously undocumented, yet-to-be-patched security vulnerability in Microsoft Word is actively being exploited in cyberattacks, Microsoft said Thursday.

The vulnerability is the fourth zero-day vulnerability to arise in the Microsoft application in two months. Microsoft hasn't provided patches for any of the flaws, despite acknowledging that the holes are being used in attacks on its customers.

"There have been very limited attacks reported that are attempting to use the reported vulnerability at this time," a Microsoft representative said Thursday in a statement about the latest problem. The company is investigating this latest report and may issue a patch, if needed, the representative said.

The newest problem allows an attacker to hijack systems running Word 2000 and causes a crash of Word 2003 and Word XP, Symantec said in an alert Thursday. "An attacker could exploit this issue by enticing a victim to open a malicious Word file," the Cupertino, Calif.-based security company said.

Security experts have said the limited-scale attacks are the most dangerous. Widespread worms, viruses or Trojan horses sent to millions of mailboxes are typically not a grave concern because they can be blocked. Instead, especially for businesses, targeted Trojan horses have become nightmares, as they can fly under the radar.

Symantec advises people to make sure their security software is up-to-date and urges caution when opening Word documents. Businesses should put policies in place to prevent Word documents from being distributed to users, Symantec said.

[mwsmith824]

Prevent word documents from being distributed???

"Businesses should put policies in place to prevent Word documents from being distributed to users, Symantec said."

You've got to be kidding me? Most businesses would have to shut down if they couldn't send word documents within the organization. How about a useful recommendation, like finding another word processing program, or perhaps making the same noise you do about major worms in the press and getting Microsoft to release something faster to avoid a negligence lawsuit.

[rcrusoe]

Re: a useful recommendation

OK, here's a suggestion. If the recipient doesn't need to edit the files send him a PDF. If he does, save your documents as RTF files rather than DOC? Or better yet, save them as ODF.

http://sourceforge.net/project/showfiles.php?group_id=169337

Word's Doc files been biting people in the backside for years. If they aren't carrying a malicious payload, they are blabbing your secrets.

http://news.bbc.co.uk/2/hi/technology/3154479.stmbbing secrets.

[kevsmail]

Don't distribute Word docs at work?!?!?

Totally unrealistic in today's business world, with MS Office dominating the desktop. We are constantly having to email Word and Excel docs back and forth between staff to conduct business. The only realistic approach is to either have MS fix these flaws quicker and to have your IT staff be vigilant about updated virus protection for all workstations...

[boomslang]

Don't worry, it will all be cured when the...

Feinstein bill gets through congress that holds people responsible for computer intrusions due to lack of maintenance. Then it will be a crime to knowingly run any Microsoft Office products on the internet or use them to freely exchange files generated by Microsoft Office. Here we are, three months and counting. Four known holes will be fixed in February, only for us to be left hanging in the breeze for another month while the fifth and latest waits to be patched. Don't worry, the attacks are targetted, very few people are being compromised, STBY if you are the target. Nuke and reload is in your future after your company's private data is stolen.

[alinconstantin]

Yes, don't send documents by mail

There are plenty of other solutions to share documents. You don't have to send them attached in mail.
You can put them for instance on a known/trusted file share and send the link, or better put them into a known/trusted SharePoint or web server the whole team is using, or check them in into your source control/content management database, etc.
Or if you really need to send content by mail you can simply send mail in RTF format and copy/paste from the Word/Excel doc into your message.
Someone must be insane to insist opening attached documents received in email (no matter of their formats) after all the viruses and worms that circulated in the last years...

[wbenton]

Stop using Microsoft will fix the problem

Critical flaws are to be patched within 24 hours.

Non-critical flaws are to be patched within 72 hours.

Microsoft has been aware of at least 3 zero-day flaw more than a week prior to their January Security Updates... and that was 2 weeks ago.

Shows how concerned Microsoft is about the security of their users!

Bottom Line: Swap to Linux and resolve the slow patching track-record of Microsoft.

Walt