New zero-day affects Microsoft Word

By Bill Brenner, Senior News Writer 06 Dec 2006 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

Microsoft said the "limited" zero-day attacks affect Microsoft Word 2000 and 2002, Microsoft Office Word 2003; Microsoft Word Viewer 2003 and 2004 for Mac; Microsoft Word 2004 version X for Mac; and Microsoft Works 2004, 2005 and 2006.

Zero-day attacks: Zero-day flaws target 'safe' programs Nov. 1: Zero-day attacks target Microsoft Visual Studio Nov. 6: Microsoft eyes second zero-day threat in a week Sept. 19: Zero-day attack targets IE July 18: Microsoft plans PowerPoint zero-day patch Jun. 16: Microsoft Excel zero-day flaw discovered May 19: Zero-day threat targets Microsoft Word

"In order for this attack to be carried out, a user must first open a malicious Word file attached to an e-mail or otherwise provided to them by an attacker," Microsoft said. "As a best practice, users should always exercise extreme caution when opening unsolicited attachments from both known and unknown sources."

Microsoft said the investigation continues and that it may develop a patch if the situation requires one.

The French Security Incident Response Team (FrSIRT) described the flaw as a memory corruption error that occurs when malformed documents are handled. Attackers could exploit the flaw to execute malicious commands on targeted machines, FrSIRT said in its advisory.

Microsoft and other vendors have been forced to contend with an explosion of zero-day attacks this year, and Aliso Viejo, Calif.-based eEye Digital Security has launched a new Web page to help IT administrators keep track.

As of Tuesday, the site listed seven zero-day flaws, six affecting Microsoft and one affecting to Adobe Acrobat. The vendor outlines steps users can take to mitigate each flaw.

"The increasing proliferation of zero-day vulnerabilities means the previous window of opportunity IT had to secure networks between the release of a software patch and an attack has been slammed shut," Marc Maiffret, eEye's founder and CTO, said in a statement. "More zero-day security vulnerabilities and attacks are being discovered every day and dealing with them can easily dominate an enterprise's IT efforts. As a result, we've been overwhelmed by requests from our customers to give them the information and time they need to protect their networks."

Tags: Security Patch Management,  Securing Productivity Applications,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Security Patch Management Squad: Tokenization, Phishing and the Feds Should management processes change based on a patch release schedule? Should Windows Mobile updates come from Microsoft? Adobe updates ColdFusion, JRun, Flex Trusteer CEO criticizes Adobe, touts better patch deployments Patch management study shows IT taking significant risks Vulnerability mitigation study shows need for faster patching Microsoft to issue security report card, new tool at Black Hat How to manage patches for Adobe When is it suitable to remove Java updates? Securing Productivity Applications How to detect software tampering Adobe fixes 29 flaws in Acrobat, Reader Adobe warns of critical update for Reader, Acrobat 9.1.3 Why should we place data files on a separate partition than the OS? Adobe updates ColdFusion, JRun, Flex Serious Adobe Flash flaw being exploited Adobe acknowledges serious Flash zero-day vulnerability Adobe issues security advisory for Flash zero-day flaw When to use the service features of the Metasploit hacking tool How to manage patches for Adobe

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary attack vector  (SearchSecurity.com) back door  (SearchSecurity.com) ethical worm  (SearchSecurity.com) Patch Tuesday  (SearchSecurity.com) zero-day exploit  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary