Microsoft has confirmed reports of a Word vulnerability that opens the door for an attacker to exploit a system. A vulnerability in the Microsoft Jet Database Engine, which shares data with Access, Visual Basic and third-party applications, makes it possible.
Panda Software, McAfee and Symantec have all pointed to Microsoft Jet Database Engine flaws in past months, but Microsoft does not acknowledge the bug as a critical remote-execution vulnerability because .mdb files are considered unsafe and Outlook is configured to block Access files when they are received as an attachment.
However, Elia Florio from Symantec's security response team doubts Microsoft's stand is good enough. According to Symantec's security team, the attacker needs only to find a trick to force the Jet library to open a file and run malicious code.
"Some social engineering and a little help from Office applications will work out well in this specific attack. In fact, it is possible to call MSJET40.DLL directly from MS Word, without using Access at all," Florio said. "In this attack, the .doc file uses mail-merge functionalities to import an external data-source file, and so it effectively forces MS Jet to load the malicious Access sample."
Older Operating Systems Vulnerable
Customers using Microsoft Word 2000 Service Pack 3, Microsoft Word 2002 Service Pack 3, Microsoft Word 2003 Service Pack 2, Microsoft Word 2003 Service Pack 3, Microsoft Word 2007, and Microsoft Word 2007 Service Pack 1 on Microsoft Windows 2000, Windows XP, or Windows Server 2003 Service Pack 1 are vulnerable to attack.
However, customers running Windows Server 2003 Service Pack 2, Windows Vista, and Windows Vista Service Pack 1 include a version of the Microsoft Jet Database Engine that is not vulnerable, according to a Microsoft security advisory.
"Microsoft is investigating the public reports and customer impact. We are also investigating whether the vulnerability can be exploited through additional applications," the advisory said. It promised Microsoft would take the appropriate action when the investigation is complete.
The "appropriate action" may mean providing a security update through its monthly release process or providing an out-of-cycle security update, Microsoft said.
Thwarting Targeted Attacks
Many attacks have used .mdb files since March 2006. And there has been a significant uptick in the number of targeted attacks over the last three years, according to Ken Dunham, director of global response for iSight Partners.
"At the turn of the century it was about against protecting against e-mail worms and these bots that were spreading, and every now and again some Trojans. That was pretty easy," Dunham said. "You just keep patched and you are good to go."
Things are different today. The attacks are much more sophisticated, focused, targeted and scalable. Real-time fraud is a reality. That, Dunham said, is cause for concern in the CFO's office, presenting a dual challenge.
"CFOs not only have to do the best practices to take care of the sophisticated attacks that are regularly knocking on their door, but they also need to take care of the targeted attacks that may be specifically focused on a particular executive or machine or asset of interest inside of a network," Dunham said. "That means now you have to secure and exercise due diligence in a way that's much more personal."