Word open to exploit

Unpatched vuln

An unpatched security vulnerability in popular older versions of Microsoft Word poses a severe threat to users, security reporting firm Secunia warned yesterday.

The flaw stems from an input validation error in Word. This creates a mechanism for creating malicious files capable of crashing Windows boxes providing a user can be tricked into opening dodgy documents. The bug might also (at least potentially) be used to inject malicious code into vulnerable systems. A buffer overflow vulnerability, the most common class of security vulnerability, is to blame.

The vulnerability has been confirmed in Microsoft Word 2000, but has also been reported in Microsoft Word 2002. The bug has been shown to crash systems. The execution of arbitrary code might also be possible, but remains unproven. The vuln was discovered by white hat hacker HexView, who posted information about it on a full disclosure mailing list - without notifying Microsoft first.

Microsoft is yet to investigate the bug, much less develop a fix. In the meantime, Secunia advises Word users to open only trusted documents. ®

Related stories

Microsoft warns of poisoned picture peril
MS launches Office security blitz
Word 97 feature spawns no-brainer pilfering exploit

Sponsored: 10 ways wire data helps conquer IT complexity