A new Trojan horse exploits an unpatched flaw in Microsoft Office and could let an attacker commandeer vulnerable computers, security experts have warned.
The malicious code takes advantage of a flaw in Microsoft's Jet Database Engine, a lightweight database used in the company's Office productivity software. The security hole was reported to Microsoft in April, but the company has yet to provide a fix for the problem.
"Microsoft is aware that a Trojan recently released into the wild may be exploiting a publicly reported vulnerability in Microsoft Office," a company representative said in a statement sent via e-mail on Friday. The software maker is investigating the issue and will take "appropriate action," the representative said.
The Trojan horse arrives in the guise of a Microsoft Access file, security software maker Symantec said in an advisory. When run on a vulnerable system, it would give a remote attacker full access to a compromised computer, Symantec said. The company calls the pest "Backdoor.Hesive" and notes that it is not widespread.
Although exploits had already been released in April when HexView publicly reported the flaw, the Trojan is believed to be the first actual threat to take advantage of the security hole. Security monitoring firm Secunia rates the issue "highly critical," one notch below its most serious rating.
"The vulnerability is caused due to a memory handling error when...parsing database files," Secunia said in its April advisory. "This can be exploited to execute arbitrary code by tricking a user into opening a specially crafted '.mdb' file in Microsoft Access."
Symantec advises users to be cautious when opening unknown files. The security software maker lists all recent Windows releases as vulnerable to the Trojan attack.
people get frustrated and angry with Microsoft. Here the company has known about a potential critical flaw for five months and has released no fix. Now I'm not saying Microsoft does this with every flaw that is discovered, but it only takes one to be a problems.
Truthfully though it doesn't really matter if it's Microsoft or some other closed or open source company, five months is plenty of time to fix a flaw. In this case it's Microsoft with a highly installed piece of software. Tomorrow it could be Apple, Mozilla, or even Opera, but at least for some getting fixes out doesn't take five months.
as you know, it took firefox to take a bite out of IE and force MS to suddenly start working on it again. since OOo isn't seen as a threat to MS Office and there is no visible threat in sight, MS have no interest in delivering a quality product until they want to make some money out of it.
I am anxiously awaiting for the MS apologists to defend letting a known flaw go for 5 months.
Most other software companies and open source projects get the flaw fixed BEFORE it gets exploited. MS waits until an exploit shows up and the 'looks into it'
This is but one reason why MS is a joke of a company . Unprofessional and incompetent.
I don't know if anybody will stand behind Microsoft for waiting five months to release a fix (which hasn't been released yet), but I'm sure there will be excuses from Microsoft. Somebody once said that it's not the amount of flaws that a program has because it only takes one to be a problem. I extend that with how long it takes to fix the flaw that is the protagonist to the problem.
I will say it again. It doesn't matter what company or organization you are it shouldn't take five months to fix a flaw. Now if you have a patch available and users don't install it then that is their problem most of the time.
Chamtech's spray-on antenna uses a nano material to provide a low-power boost to antenna range. The wireless-in-a-can product may some day bring an end to unsightly cell towers.
Whether Apple will release a new iPad next month doesn't seem to be the question as much as what day it will happen. A new rumor has it down to the day.
Tommy Jordan, the man who shot his daughter's laptop for YouTube, gets a visit from police and child protection services. Oh, and Good Morning America.
EnerG2 opens a plant to make an engineered carbon that will improve performance of energy storage devices and make storage for start-stop hybrid cars less expensive.
As UC Berkeley students, the co-founders of "Back to the Roots" discovered they could grow mushrooms using recycled coffee grounds. Now their mushroom kit sells at grocery stores across the country.
Truthfully though it doesn't really matter if it's Microsoft or some other closed or open source company, five months is plenty of time to fix a flaw. In this case it's Microsoft with a highly installed piece of software. Tomorrow it could be Apple, Mozilla, or even Opera, but at least for some getting fixes out doesn't take five months.
Most other software companies and open source projects get the flaw fixed BEFORE it gets exploited. MS waits until an exploit shows up and the 'looks into it'
This is but one reason why MS is a joke of a company . Unprofessional and incompetent.
I will say it again. It doesn't matter what company or organization you are it shouldn't take five months to fix a flaw. Now if you have a patch available and users don't install it then that is their problem most of the time.