New zero-day affects Microsoft Word

By Bill Brenner, Senior News Writer 06 Dec 2006 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

Microsoft said the "limited" zero-day attacks affect Microsoft Word 2000 and 2002, Microsoft Office Word 2003; Microsoft Word Viewer 2003 and 2004 for Mac; Microsoft Word 2004 version X for Mac; and Microsoft Works 2004, 2005 and 2006.

Zero-day attacks: Zero-day flaws target 'safe' programs Nov. 1: Zero-day attacks target Microsoft Visual Studio Nov. 6: Microsoft eyes second zero-day threat in a week Sept. 19: Zero-day attack targets IE July 18: Microsoft plans PowerPoint zero-day patch Jun. 16: Microsoft Excel zero-day flaw discovered May 19: Zero-day threat targets Microsoft Word

"In order for this attack to be carried out, a user must first open a malicious Word file attached to an e-mail or otherwise provided to them by an attacker," Microsoft said. "As a best practice, users should always exercise extreme caution when opening unsolicited attachments from both known and unknown sources."

Microsoft said the investigation continues and that it may develop a patch if the situation requires one.

The French Security Incident Response Team (FrSIRT) described the flaw as a memory corruption error that occurs when malformed documents are handled. Attackers could exploit the flaw to execute malicious commands on targeted machines, FrSIRT said in its advisory.

Microsoft and other vendors have been forced to contend with an explosion of zero-day attacks this year, and Aliso Viejo, Calif.-based eEye Digital Security has launched a new Web page to help IT administrators keep track.

As of Tuesday, the site listed seven zero-day flaws, six affecting Microsoft and one affecting to Adobe Acrobat. The vendor outlines steps users can take to mitigate each flaw.

"The increasing proliferation of zero-day vulnerabilities means the previous window of opportunity IT had to secure networks between the release of a software patch and an attack has been slammed shut," Marc Maiffret, eEye's founder and CTO, said in a statement. "More zero-day security vulnerabilities and attacks are being discovered every day and dealing with them can easily dominate an enterprise's IT efforts. As a result, we've been overwhelmed by requests from our customers to give them the information and time they need to protect their networks."

Tags: Security Patch Management,  Securing Productivity Applications,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Security Patch Management Adobe fixes critical Shockwave Flash Player flaw Mozilla patches 11 Firefox security flaws, JavaScript errors Microsoft patches WebDAV security vulnerability in bevy of updates Adobe issues first quarterly patch release fixing 13 flaws Microsoft plans 10 security updates, fixing IE, Word, Excel vulnerabilities Adobe shifts to Microsoft patching process, incident response plan Software delivery could fix software patching issues Microsoft updates Office to address serious PowerPoint vulnerabilities Microsoft to patch critical PowerPoint zero-day flaw Firefox update addresses several security flaws Securing Productivity Applications Adobe fixes critical Shockwave Flash Player flaw Adobe issues first quarterly patch release fixing 13 flaws Adobe shifts to Microsoft patching process, incident response plan Balancing security and performance: Protecting layer 7 on the network Software Piracy pandemic needs government role, better vendor antipiracy plans McAfee to acquire Solidcore Systems for whitelisting Adobe issues Reader update fixing zero-day flaw Microsoft to patch critical PowerPoint zero-day flaw PCI DSS: Best practices for compliance Adobe working on patch to correct new zero-day flaw

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary attack vector  (SearchSecurity.com) back door  (SearchSecurity.com) ethical worm  (SearchSecurity.com) Patch Tuesday  (SearchSecurity.com) zero-day exploit  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary