Dear Visitor,

Our system has found that you are using an ad-blocking browser add-on.

We just wanted to let you know that our site content is, of course, available to you absolutely free of charge.

Our ads are the only way we have to be able to bring you the latest high-quality content, which is written by professional journalists, with the help of editors, graphic designers, and our site production and I.T. staff, as well as many other talented people who work around the clock for this site.

So, we ask you to add this site to your Ad Blocker’s "white list" or to simply disable your Ad Blocker while visiting this site.

Continue on this site freely
You are here: Home / Data Security / Microsoft Confirms Word Vulnerability
Patch Possible as Microsoft Confirms Word Vulnerability
Patch Possible as Microsoft Confirms Word Vulnerability
By Jennifer LeClaire / CRM Daily Like this on Facebook Tweet this Link thison Linkedin Link this on Google Plus
Microsoft has confirmed reports of a Word vulnerability that opens the door for an attacker to exploit a system. A vulnerability in the Microsoft Jet Database Engine, which shares data with Access, Visual Basic and third-party applications, makes it possible.

Panda Software, McAfee and Symantec have all pointed to Microsoft Jet Database Engine flaws in past months, but Microsoft does not acknowledge the bug as a critical remote-execution vulnerability because .mdb files are considered unsafe and Outlook is configured to block Access files when they are received as an attachment.

However, Elia Florio from Symantec's security response team doubts Microsoft's stand is good enough. According to Symantec's security team, the attacker needs only to find a trick to force the Jet library to open a file and run malicious code.

"Some social engineering and a little help from Office applications will work out well in this specific attack. In fact, it is possible to call MSJET40.DLL directly from MS Word, without using Access at all," Florio said. "In this attack, the .doc file uses mail-merge functionalities to import an external data-source file, and so it effectively forces MS Jet to load the malicious Access sample."

Older Operating Systems Vulnerable

Customers using Microsoft Word 2000 Service Pack 3, Microsoft Word 2002 Service Pack 3, Microsoft Word 2003 Service Pack 2, Microsoft Word 2003 Service Pack 3, Microsoft Word 2007, and Microsoft Word 2007 Service Pack 1 on Microsoft Windows 2000, Windows XP, or Windows Server 2003 Service Pack 1 are vulnerable to attack.

However, customers running Windows Server 2003 Service Pack 2, Windows Vista, and Windows Vista Service Pack 1 include a version of the Microsoft Jet Database Engine that is not vulnerable, according to a Microsoft security advisory.

"Microsoft is investigating the public reports and customer impact. We are also investigating whether the vulnerability can be exploited through additional applications," the advisory said. It promised Microsoft would take the appropriate action when the investigation is complete.

The "appropriate action" may mean providing a security update through its monthly release process or providing an out-of-cycle security update, Microsoft said.

Thwarting Targeted Attacks

Many attacks have used .mdb files since March 2006. And there has been a significant uptick in the number of targeted attacks over the last three years, according to Ken Dunham, director of global response for iSight Partners.

"At the turn of the century it was about against protecting against e-mail worms and these bots that were spreading, and every now and again some Trojans. That was pretty easy," Dunham said. "You just keep patched and you are good to go."

Things are different today. The attacks are much more sophisticated, focused, targeted and scalable. Real-time fraud is a reality. That, Dunham said, is cause for concern in the CFO's office, presenting a dual challenge.

"CFOs not only have to do the best practices to take care of the sophisticated attacks that are regularly knocking on their door, but they also need to take care of the targeted attacks that may be specifically focused on a particular executive or machine or asset of interest inside of a network," Dunham said. "That means now you have to secure and exercise due diligence in a way that's much more personal."

Image credit: SFMTA.

Read more on: Microsoft, Word, Vista, Symantec
Tell Us What You Think


Like Us on FacebookFollow Us on Twitter
© Copyright 2018 NewsFactor Network. All rights reserved. Member of Accuserve Ad Network.