Friday, February 16, 2007

Microsoft warns of new Word bug

Microsoft has acknowledged that a bug in Word is being used by hackers to commandeer computers.

On Tuesday, Microsoft released 12 security bulletins with patches for 20 vulnerabilities, including six for Word and one each for PowerPoint and Excel.

"All the zero-day [vulnerabilities] in Word and Office were patched on Tuesday," Mark Griesi, security program manager for the MSRC (Microsoft Security Response Center), said on Wednesday.

Griesi said the status of the bugs and their patches - most of which were being used by cybercriminals in targeted attacks - was confusing. "Some of that is because in the time since the vulnerabilities began appearing, there were other reports on new zero-days," said Griesi. "But those were not new zero-days."

Instead, Microsoft determined that in-the-wild exploits weren't working, or that the bugs being used had already been disclosed. The newest Word flaw fits the first scenario.

On 9 February McAfee researchers said they had found another unpatched bug in Microsoft Word 2000. That same day, Microsoft reported that its analysis indicated the flaw could only crash the word processor. Such DDoS (distributed denial of service) vulnerabilities are considered less threatening, since they may not let the attacker run his own code on the compromised machine.

As it turns out, however, Microsoft was wrong. "[Our] analysis shows that this vulnerability is likely not limited to denial of service and that remote code execution may in fact be possible," Craig Schmugar, virus research manager at McAfee's Avert Labs, wrote in a warning.

In a security advisory posted Wednesday, Microsoft admitted that the flaw in Word 2000 and Word 2002 could be exploited to "corrupt system memory in such a way that an attacker could execute arbitrary code."

Attacks leveraging Office bugs are typically delivered in malformed documents attached to e-mail messages. Hackers try to dupe recipients into opening the attachments. As it has before, Microsoft's recommendation was to not open Office documents unless they came from a trusted source and were expected.

A patch is planned, Microsoft said, but it did not set a time line. The next scheduled security updates from the Redmond, Wash. developer are not set to appear until 13 March.

According to third-party security organizations, Microsoft has numerous problems that still need to be addressed. The Sans Institute's Internet Storm Center, for instance, lists seven unpatched Microsoft bugs, including the just-acknowledged Word flaw as well as a December bug that affects several editions of Windows, Vista among them. eEye Digital Security's Zero-Day Tracker, meanwhile, lists five unpatched Microsoft vulnerabilities.

"All these are still being worked on," said Microsoft's Griesi.