New zero day flaw in Word for PCs and Macs

Stan Beer
Wednesday, 06 December 2006 15:33

Your IT - Home IT

A serious new flaw in a number of versions of Microsoft Word for both PCs and Macintosh computers could enable attackers to execute code on target computers. The zero day flaw has been flagged by Microsoft as a security advisory on its website and a patch has not yet been developed.

Versions of Word affected by the flaw include Word 2000, Word 2002, Word 2003, Word Viewer 2003, Word 2004 for Mac, Word 2004 v. X for Mac, and Works 2004, 2005, and 2006.

Based on Microsoft's own vulnerability classifications, the flaw would probably not be placed in the critical category because, as Microsoft points out in its advisory, a user would have to initiate an action that would enable an attacker to execute code on their computer.

According to the advisory: "In a Web-based attack scenario, an attacker would have to host a Web site that contains a Word file that is used to attempt to exploit this vulnerability. In addition, compromised Web sites and Web sites that accept or host user-provided content could contain specially crafted content that could exploit this vulnerability An attacker would have no way to force users to visit a malicious Web site. Instead, an attacker would have to persuade them to visit the Web site, typically by getting them to click a link that takes them to the attacker's site.

"In an e-mail attack scenario, an attacker could exploit the vulnerability by sending a specially-crafted file to the user and by persuading the user to open the file."

The usual advice about not opening or saving files from unknown sources applies. However, there is no news yet whether there will be a patch available in time for the coming Patch Tuesday on December 12.