Zero-day attack hits Word

A new, yet-to-be-patched security hole in Word is being used in targeted cyberattacks, Microsoft has warned.

When a user opens a rigged Word file, it may corrupt system memory in such a way that an attacker could gain complete control over the PC, Microsoft said in a security advisory posted late Wednesday. Office 2000 and Office XP are at risk, the company said. The two recent versions, Office 2003 and 2007, are not affected.

As with most of the Office vulnerabilities, an attacker would have to trick a user into opening a malicious file to be successful. The vulnerability is being exploited in "very limited, targeted attacks," Microsoft said. A security update to repair the problem is in the works, it added.

Word of the new flaw comes a day after Microsoft released updates for nine other Office-related vulnerabilities. Five of them were zero-day flaws, or security holes that have been publicly disclosed but not fixed.

Security experts have said that limited-scale attacks are the most dangerous. Widespread worms, viruses or Trojan horses sent to millions of mailboxes are typically not a grave concern, because they can be blocked. But targeted Trojan horses, especially those aimed at specific businesses, have become nightmares as they can fly under the radar.

Cybercrooks have found that they can take advantage of Microsoft's security update cycle by timing new attacks right before or just after "Patch Tuesday"--the second Tuesday of each month when the software maker releases its fixes. Some security watchers have coined the term "zero-day Wednesday" to describe that strategy.

[Jschneeky]

Interesting...

"Nowadays, security guys break the Mac every single day," Gates
said. "Every single day, they come out with a total exploit, your
machine can be taken over totally. I dare anybody to do that once a
month on the Windows machine."

Would you care for some salt and pepper for your foot Mr. Gates?

[Stating]

Ha, I Can't Even Patch Office Anymore

I got sick of having 3 years worth of MS patches chew up my disk space so I deleted those useless MSP files. Now every time I try to do an MS Office updated, I get this stupid message. What kind of crappy technology does MS use, where every blasted patch they issue has to consume gobs of disk space? Can't they just put a simple entry in the Registry and be done with it? Oh, I forgot, if they didn't have crappy technology in the first place they wouldn't have to keep issuing patches.

"Office Update is unable to check for updates
The Office Update site is unable to check for updates on this computer. This may be happening because of one of the following reasons:

You do not have administrative privileges for this computer.
There is a network problem and the detection catalog used by the Office Update site failed to download. Go back to the Downloads home page and try running detection again.
Windows Installer patch files (.MSP files) from previously applied Office updates are missing from the \Windows\Installer hidden directory on your computer. MSP files are stored on your computer after update installation completes because they need to be referenced for future update operations. If the files are missing you will not be able to apply Office updates. You may also be unable to uninstall Office products as a result of the same problem."

[ThePenguin]

Waa Waa

Buy a bigger HD.

Maybe you shouldn't have deleted the MSP files, the error tells you as much.

"MSP files are stored on your computer after update installation completes because they need to be referenced for future update operations"

this is why a "registry reference" would not work, it need to access parts of code contained within the previous updates.

Or is this a pirated copy of Office?

I bet you could pick up Word Perfect for just about nothing, and it hasn't been updated in years, so have fun.

[Macsaresafer]

You get what you pay for,

and you paid for Microsoft software.

Your pain, their profit.

[Stating]

No, It Is Bad MS Programming

Think about how nuts this is. First you install a patch which replaces existing .exe or .dll. Then Windoze keeps a "backup" copy of things in case you want to back out the patch. OK, fine. But there is no capability at some point to say, "clean out the old crud patches". So over time you end up with 100s of megs of patch crud that you are stuck with. That is just nuts. Poor, poor, design.

The particular problem with MS Office referencing these old MSP files in order to process future patches doesn't occur with patches to the OS. I delete old XP patch files all the time and never have a problem subsequently running new XP updates.