September 12, 2006 2:42 PM PDT

No fix yet for Word 2000 flaw

Microsoft on Tuesday provided patches for three security flaws, but it does not have a fix yet for a Word 2000 vulnerability being exploited in cyberattacks.

As part of its monthly patch cycle, Microsoft released updates for Office and Windows users to repair a trio of security flaws, a tally that is notably fewer than in previous months. The software maker deems the Office problem "critical"--its most serious rating. The Windows problems have a lower severity rating.

"What's not there is more news than what is there, from what we can see," said Amol Sarwate, research manager at vulnerability management company Qualys."The first thing we noticed is a lack of a patch for the Microsoft Word vulnerability at large; they did not have enough time to produce a patch."

Microsoft last week warned that miscreants are using a previously unknown flaw in Word 2000 in cyberattacks. These attacks come by way of rigged Word documents attached to an e-mail or otherwise provided to the targeted person. Microsoft has said that it is working on a patch, but in a security advisory posted Sept. 6, it did not give an expected release date.

The yet-to-be addressed Word 2000 flaw is similar to the Office flaw that Microsoft did tackle on Tuesday. This vulnerability affects Microsoft Publisher in Office 2000, Office XP and Office 2003. An attacker could exploit it by crafting a malicious Publisher file and tricking someone into opening it, perhaps by hosting it on a Web site or sending it by e-mail, Microsoft said in security bulletin MS06-054.

"An attacker who successfully exploited this vulnerability could take complete control of an affected system," Microsoft said. "We recommend that customers apply the update immediately."

Publisher is Microsoft's desktop publishing application. The software maker recommends all Office users install the patch, regardless of whether Publisher is installed, because other Office applications use some of the same compromised files.

Of the two Windows vulnerabilities addressed by Tuesday's fixes, one could allow an attacker to remotely take control of a PC and the other could lead to information disclosure, Microsoft said.

A flaw in a protocol for data exchange in Windows XP could let an intruder hijack a vulnerable system by sending it a special data packet, according to Microsoft security bulletin MS06-052. However, the Pragmatic General Multicast, or PGM, protocol is part of Microsoft Message Queuing technology version 3.0, which is not enabled by default, Microsoft said.

The information disclosure vulnerability exists because of a cross-site scripting flaw in a part of Microsoft's Indexing Service, Microsoft said in security bulletin MS06-053. An attacker could exploit the flaw to run script code on a vulnerable PC. The script could spoof content, disclose information or take any action that the user could take on a specific Web site, Microsoft said.

The patches are available online and will be pushed out via Microsoft's Automatic Updates service. As for the unpatched Word flaw, Qualys recommends Windows users install multiple layers of security software and use caution when opening e-mail attachments.

See more CNET content tagged:
Microsoft Word 2000, flaw, Qualys Inc., attacker, cyberattack


Join the conversation!
Add your comment
Is security possible with MS at all?
The Word 2000 patch delay raises the possibility that Microsoft does not consider security flaws affecting Office 2000 commercially important, possibly because of the firm's tiered approach to security that eventually phases out patches for apps that don't "earn" any longer for MS.

A further concern that we should all bear in mind is that if Office 2000 security issues matter at all, then security must matter for Office 97 as well. But does Office 97 get any patches at all now?

Security in a total context is also now compromised by the fact that Microsoft's commercial qualification to what the term "security" means has also dropped millions of Windows 98 PCs off the security fix radar.

The problem being that there are two halves to a secure Internet: The secure PCs one uses, and the unsecured PCs running older apps (in an efficient and wise economic use of the computer as an investment) that are going to be malware breeding grounds. Not because the software is obsolete or has run through its period of reasonable durability, but because the software maker prefers people to rebuy their sofware relatively frequently and so ends security support for older products.

Microsoft's current working implementation of desktop computer security thus covers only half of the threat base, and then only a portion of the one half it is dedicated to--because the MS approach leaves out older software that is still in use and still a threat.

The point being that the slow Word 2000 patch signifies the small tip of a much larger security iceberg. An iceberg caused entirely by MS's failure to realize that once an OS or a mass-used application suite is released and bought by millions primarily because of the economic efficiency these apps represent, it will need security fixes for many many years lest the economically valid and to-be-anticipated long-time use of such apps continue to put other users at risk AFTER the vendor pulls security fixes.
Posted by PolarUpgrade (103 comments )
Reply Link Flag
To be fair...
Office apps don't directly connect to a network (or rather, [i]shouldn't[/i]. This gives them a bit of a lower priority than the apps that are a whole lot closer to the network stack (web browsers, MSSQL Server, stuff like that).

As for the rest, yeah, I agree - but MSFT is only king of the upgrade treadmill - many, many, many other companies out there force users to upgrade or die.

As for end-of-life issues, MSFT is going to become a victim of this eventually... I doubt that Vista will be bought in any real volume outside of OEM installs, and with decent hardware lasting longer (no more two-year upgrade cycles like we had in the late 90's - early 00's), MSFT has a bit of trouble ahead.
Posted by Penguinisto (5042 comments )
Link Flag
Responsible Security Vendors
Most security concious companies patch critical flaws within 24 hours and non-critical flaws within 72 hours.

Microsoft however, continues to patch what they want, when they want, as they like... only proving their security irresponsibility!!!

Posted by wbenton (522 comments )
Reply Link Flag

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot



RSS Feeds

Add headlines from CNET News to your homepage or feedreader.