Microsoft Adds New Help On Word Zero-Day

Microsoft revised a security advisory targeting an in-the-wild exploit of Word XP and Word 2003 to clarify a work-around for enterprises, repeated that it was on track to deliver a fix June 13, and offered up another tactic to protect users.

The advisory, which was revised Friday, now includes more detail about how corporations can defend themselves by using group policies to force Word into running in "Safe Mode."

The online alert also reiterated the patch's timetable. "The security update is on schedule to be released as part of the June security updates on June 13, 2006," it read.

In an associated blog entry, Stephen Toulouse, a program manager for the Microsoft Security Response Center (MSRC), essentially approved the tactic of editing the Windows registry to force Word to run in a restricted mode. That approach was taken by an independent researcher two weeks ago when he released an unsanctioned fix.

"What we’ve seen in general with these types of attacks is that the 'Basic User' Software Restriction Policy [SRP] is a 'good practice' kind of mitigation that can prevent this specific malware from being successful," wrote Toulouse. "If you’re looking for a more general way to add another layer to help protect against attacks like these, the SRP mitigation can work for many different types of malware."Toulouse pointed Word users to a January 2005 article on the MSDN site that spells out how to run selected applications in restricted mode.

"This is not meant to be a cure-all, but it’s interesting information we found in our investigations that can serve as a useful mitigation," Toulouse concluded.

Microsoft and third-party security vendors have characterized the zero-day vulnerability as a limited threat because so far it's been used only in very targeted attacks.