Microsoft Warns Of Fourth Word Flaw

Successful attacks require users to open a malformed Word 2000 file attachment or download one from a malicious Web site.

January 29, 2007

1 Min Read
NetworkComputing logo in a gray background | NetworkComputing

Microsoft is digging into the fourth unpatched vulnerability in Microsoft Word in the last two months, the company security team said.

The zero-day flaw, which was first publicized Friday by Symantec , lets attackers hijack PCs running Microsoft Word 2000, and crash machines with Word 2002 or 2003. Attacks already are under way.

Microsoft's Security Response Center (MSRC) posted a warning late Friday. "We are currently investigating a report of a posting of proof of concept code which could allow an attacker to execute code on a user's machine by convincing them to open a specially-crafted Word document," Alexandra Huft of the MSRC in a blog posting. "We are aware of very limited, targeted attacks attempting to use the vulnerability reported."

Successful attacks require users to open a malformed Word 2000 file attachment, or download and open such a document from a malicious Web site, said Microsoft.

The flaw is the fourth Word flaw to go unpatched. In early-to-mid December, Microsoft acknowledged three other Word vulnerabilities. None of those bugs were patched during the December or January regularly scheduled security updates.In the Friday warning, Microsoft promised to patch the new Word 2000 zero-day flaw but set no timetable for producing a fix.

SUBSCRIBE TO OUR NEWSLETTER
Stay informed! Sign up to get expert advice and insight delivered direct to your inbox

You May Also Like


More Insights