Good and bad news. The bad news is that there is a vulnerability in MS Word (without a patch). The good news is that it's version specific and only gives you the same privilege as the current user (and let's hope it's not with administrator rights). Let's keep an eye on this one.
Microsoft Security Advisory (953635)
Vulnerability in Microsoft Word Could Allow Remote Code Execution
Published: July 8, 2008Microsoft is investigating new public reports of a possible vulnerability in Microsoft Office Word 2002 Service Pack 3. Our initial investigation indicates that customers who use all other supported versions of Microsoft Office Word, Microsoft Office Word Viewer, Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats, and Microsoft Office for Mac are not affected.
At this time, Microsoft is aware of limited, targeted attacks that attempt to use this vulnerability. While Microsoft Office Word 2000 does not appear vulnerable to this issue, Word 2000 may unexpectedly exit when opening a specially crafted .doc file that the attacker is using in an attempt to exploit the vulnerability.
An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less affected than users who operate with administrative user rights.
Microsoft is investigating the public reports and customer impact. Upon completion of this investigation, Microsoft will take the appropriate action to help protect our customers. This may include providing a security update through our monthly release process or providing an out-of-cycle security update, depending on customer needs.
Customers who believe that they have been attacked can obtain security support at http://www.microsoft.com/protect/support/default.mspx and should contact the national law enforcement agency in their country. Customers in the United States can contact Customer Service and Support at no charge using the PC Safety hotline at 1-866-PCSAFETY. Additionally, customers in the United States should contact their local FBI office or report their situation at www.ic3.gov.
Mitigating Factors:
This vulnerability cannot be exploited on the following Microsoft Office software:
- Microsoft Office Word 2000 Service Pack 3
- Microsoft Office Word 2003 Service Pack 2 and Microsoft Office Word 2003 Service Pack 3
- Microsoft Office Word 2007 and Microsoft Office Word 2007 Service Pack 1
- Microsoft Office Word Viewer 2003 and Microsoft Word Viewer 2003 Service Pack 3
- Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats and Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats Service Pack 1
- Microsoft Office for Mac 2004
- Microsoft Office for Mac 2008
Symantec: www.securityfocus.com/bid/30124/info
Microsoft Advisory: www.microsoft.com/technet/security/advisory/953635.mspx
Microsoft Blog Post: blogs.technet.com/msrc/archive/2008/07/08/ vulnerability-in-microsoft-word-could-allow-remote-code-execution.aspx
Related posts:- Patching madness. No rest for the sysadmins.
- Another Zero Day in Quicktime
- Patch mania, it's not just Patch Tuesday
- Massive amounts of vulnerabilities are making a lot of PCs vulnerable
- Quicktime flaw (AGAIN)
- Oracle security patches are seldom applied
- Flood of vulnerabilities coming our way
- Adobe Acrobat and Reader security patch finally released
- QuickTime update closes security hole
Security4all Blog
Twitter
Slideshare
Facebook
Digg
Flickr
0 comments:
Post a Comment