UPDATED: Microsoft is investigating “limited” zero-day attacks exploiting
vulnerabilities in multiple versions of Word for both Windows and Mac
systems, according to a security advisory.
Microsoft Word 2000, Microsoft Word 2002, Microsoft Office Word 2003,
Microsoft Word Viewer 2003, Microsoft Word 2004 for the Mac and Microsoft
Word 2004 version X for Mac, as well as Microsoft Works 2004, 2005, and 2006
are affected.
The software maker said it is developing a security update addressing the
flaw, which could allow an attacker to take control of a system when a user
opens a malicious Word file. The file could either be included as an e-mail
attachment or on a Web site.
Today’s zero-day vulnerability is “of the nature of previous
ones,” said Marc Maiffret, CTO of Eeye Digital Security, which created “Zero-Day Watch,” a central repository of zero-day reports, their
seriousness and what IT managers can do to mitigate the vulnerability.
For instance, the latest resembles one that affected
Word 2000 in September.
Microsoft warned folks to not open or save Word files from untrustworthy sources or unexpected files from trusted sources.
The news comes a week before the regular monthly patch release. However,
Microsoft said it could offer an out-of-cycle update, once it completes its investigation of the vulnerability. Six patches were issued last month, including five deemed critical.
Zero-day exploits are becoming increasingly common, as automated application patching becomes more widespread, according to the SANS Institute,
which last month unveiled its latest Top 20 list of Internet security
vulnerabilities.
According to SANS, flaws in Microsoft Office tripled
compared to 2005.
The latest security hole in Word underscores the importance in timing the
release of exploits, according to Andrew Jaquith, an analyst with Yankee Group.
But the term “zero-day” has become an overused marketing phrase for security
vendors, he said.
“I wouldn’t be surprised if we see ‘Zero-Day Defender’ appearing.”
