News Stay informed about the latest enterprise technology news and product updates.

Security Bytes: Microsoft Word, Office vulnerable to denial-of-service attack

In other news, Schmidt returns to government and hurricanes impact spam -- temporarily.

Microsoft Word, Office vulnerable to denial-of-service attack
Secunia said the problem -- discovered by HexView -- is an input validation error within the parsing of document files that could lead to a stack-based buffer overflow. "This can be exploited to crash the process when the user opens a specially crafted document," Secunia said. "However, due to the nature of the problem, execution of arbitrary code may potentially also be possible, though it has not been proven."

Secunia said it confirmed the vulnerability in Microsoft Word 2000, but added it has also been reported in Microsoft Word 2002. Microsoft Office 2000 and Office XP are also affected, Secunia said.

"For Internet Explorer users, documents on Web sites can be opened automatically in the browser, unless the security level for the 'Internet' security zone is set to 'high' or the 'file download' setting has been disabled," the advisory added. The firm said the vulnerability is unpatched and "highly critical." It recommends users open trusted documents only.

A Microsoft spokesperson told CNET it is investigating the issue, but criticized HexView for not bringing it to the software giant's attention before going public. "We have not been made aware of any active exploits of the reported vulnerabilities or customer impact at this time, but we are aggressively investigating the public reports," the spokesperson said. "Microsoft is concerned that this new report of a vulnerability in Word was not disclosed responsibly, potentially putting computer users at risk. We believe the commonly accepted practice of reporting vulnerabilities directly to a vendor serves everyone's best interests, by helping to ensure that customers receive comprehensive, high-quality updates for security vulnerabilities with no exposure to malicious attackers while the patch is being developed."

Hurricanes not enough to stop spam
Marina del Rey, Calif.-based FrontBridge Technologies Inc. said spam volumes reached a record peak of 91% Sept. 12 and hit a monthly average of 85%, an increase of 3% from August. This, despite a significant decline in spam messages during the days following three separate hurricanes last month. "The data was compiled by a specialized spam analyst team from data collected on the FrontBridge network over the last month," the company said in a statement. For each hurricane -- Frances, Ivan and Jeanne -- the day of the hurricane and the day following showed the biggest declines in spam. After Hurricane Frances, spam volumes fell from 89% to below 82%. Following Hurricane Ivan, spam fell from the record peak for the month of 91% to below 84%. As Hurricane Jeanne departed, the amount of spam messages dipped 6% to 83%. "Spammers are in the volume business -- the more spam they send, the more money they can make," said Dan Nadir, vice president of product management at FrontBridge. "While the series of hurricanes that hit Florida in September impacted spam volumes on a short-term basis, spammers more than made up for lost time during the rest of the month and still managed to produce an 'up' month overall."

Schmidt to be named chairman of U.S. CERT
Howard Schmidt, CSO at eBay Inc. and a former White House cybersecurity adviser, has been named chairman of the U.S. Computer Emergency Readiness Team. The official announcement is expected next week, almost a year after Department of Homeland Security officials approached Schmidt for help with the U.S. CERT. Senior members of DHS approached him last December during the inaugural National Cyber Security Summit and asked for his assistance in working with the private sector, according to Computerworld. Other senior DHS and private-sector officials, who at the time spoke on condition of anonymity, said Schmidt was approached amid concerns that the agency wasn't getting good advice on cybersecurity and critical-infrastructure protection from outside "industry experts." At the time, Schmidt told Computerworld he was concerned about overextending himself. In addition to his role as CSO at eBay, Schmidt was then considering a run for Congress, had co-founded the Global CSO Council and was serving as co-chairman of the awareness and education committee of the Cyber Security Task Force, which was formed at last year's National Cyber Security Summit. He's expected to remain at eBay. DHS announced earlier this week that Andy Purdy, the NCSD's deputy director, will become interim director, following the abrupt departure last week of Amit Yoran. Yoran resigned amid speculation he had become frustrated with the political hand-wringing at the DHS and the lack of clout that came with the job.

Dig Deeper on Application attacks (buffer overflows, cross-site scripting)

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.