Article

Security holes plague Microsoft Word, Outlook

Bill Brenner

A "moderately critical" vulnerability in Microsoft Word and Outlook could allow an attacker to remotely access computer systems, Coppenhagen, Denmark-based IT security firm Secunia said.

The advisory said the problem arises when Word is used to

    Requires Free Membership to View

edit mail in Outlook. This could be exploited to execute arbitrary code on a user's system if the user is tricked into forwarding a malicious e-mail with an unclosed "OBJECT" tag. The flaw could also be exploited through malicious HTML documents if edited in Word.

Reportedly, the advisory said, the vulnerability can only be exploited when mails are forwarded.

Secunia advises people not to use Word as the default mail editor.

James C. Slora Jr., assistant director of information technology for Chantilly, Va.-based engineering and land development firm Patton Harris Rust & Associates, reported the problem to Microsoft. "Word appears not to be subjected to Security Zone restrictions. Instead, individual and very specific commands and handlers appear to get blocked during HTML parsing," Slora said in an e-mail. "This apparent approach to Word security may mean that whole families of vulnerabilities that have been blocked in Outlook and Internet Explorer are probably still exploitable in Word."

He added, "I expect Microsoft to eventually issue a patch against the specific scenario I disclosed if they get enough heat about it, but there are probably a lot more exploit possibilities in Word."

Microsoft could not immediately be reached for comment.

Affected products are:

  • Microsoft Office 2000
  • Microsoft Office 2003 Professional Edition
  • Microsoft Office 2003 Small Business Edition
  • Microsoft Office 2003 Standard Edition
  • Microsoft Office 2003 Student and Teacher Edition
  • Microsoft Outlook 2000
  • Microsoft Outlook 2003
  • Microsoft Word 2000
  • Microsoft Works Suite 2003

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: