Network News

X My Profile
View More Activity

Microsoft: Attacks Targeting Unpatched Word Flaw

Microsoft warned on Tuesday that has received reports of online criminals attacking a previously undocumented (and unpatched) security hole in various versions of its Microsoft Word application.

In an advisory, Microsoft said the problem is present in Microsoft Word 2000, Microsoft Word 2002, Microsoft Office Word 2003, Microsoft Word Viewer 2003, Microsoft Word 2004 for Mac, and Microsoft Word 2004 v. X for Mac, as well as Microsoft Works 2004, 2005 and 2006.

Microsoft said it is working on a patch to fix the problem, but the earliest that users are likely to see it would be Dec. 12, the company's next regularly scheduled patch release date.

That's probably expecting too much too soon, however. So far this year, according to my tally, Microsoft has taken roughly 26 days on average to issue patches for critical Word or other Office related flaws that were being actively exploited in the wild. That data comes from another time-to-patch analysis that I'm working on that examines how quickly Microsoft responded to security flaws either reported to them directly or discovered being exploited in the wild in 2006.

In the meantime, Microsoft urged users to avoid opening or saving "Word files that you receive from un-trusted sources or that you receive unexpectedly from trusted sources."

But you've already adopted that security posture, haven't you? Of course you have.

By Brian Krebs  |  December 6, 2006; 1:30 PM ET
Categories:  Latest Warnings  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   StumbleUpon   Technorati   Google Buzz   Previous: How Not to Distribute Security Patches
Next: TSA Now Investigating Boarding Pass Hacker



December 06, 2006
"...Although attacks in the past have been limited in target numbers, business sectors, and regions, there is a potential for more widespread attacks with this Word zero-day."


Posted by: J. Warren | December 6, 2006 5:16 PM | Report abuse

It is, of course, the documents "that you receive unexpectedly [apparently] from trusted sources" that present the biggest potential problem. I wanted to mention one tool that I have found useful in dealing with questionable situations: it's a program called 'antiword', which is free (it's released under the GPL). From the manual page:

"Antiword converts the binary files from Word 2, 6, 7, 97, 2000, 2002 and 2003 to plain text and to PostScript[TM]."

The conversion is by no means perfect; but it is, in my experience, almost always good enough to make the content of the document evident. (My experience is with the Linux/Unix versions.)

Since, for understandable reasons, Microsoft has not described the vulnerability in detail, it's not certain that antiword is immune to it, but since it's simpler than MS Word itself, it's likely to be safer.

The project page for antiword at FreshMeat is:
and the author's project page is:

According to the author, Adri van Os, the program should work on POSIX-compliant systems, The source code [in C] is available, naturally, as well as pre-built binaries for a variety of systems, including a version that runs in a DOS box. There is also a link to a pre-built version for Windows, which I have not used.

richg74 AT gmail DOT com

Posted by: Rich Gibbs | December 7, 2006 1:20 PM | Report abuse

Avoid the problem, perhaps, by defaulting to OpenOffice suite to open all Microsoft Office documents? OpenOffice can even access Microsoft Office password-protected documents (at least Office 2000 version).

Posted by: David | December 7, 2006 5:28 PM | Report abuse

The caution against open Word documents from untrusted users does not go far enough. If a friend or coworker is infected by a virus or worm, you might receive an infected document that appears to be from someone you know picked out of their address book.


Posted by: Doug | December 7, 2006 7:59 PM | Report abuse

Doug -- You are very right. I think Microsoft also issued that advice in its advisory, but then I can't recall them being that specific before. Perhaps this is new wordage for them: I'll have to go back and check. Either way, it's a good thing. The second part of their advice addresses your point:

"Word files that you receive from un-trusted sources or that you receive unexpectedly from trusted sources."

Posted by: Bk | December 7, 2006 11:05 PM | Report abuse

I beg to remind everyone that, so far, all we have is Microsoft's word (no pun intended) for the existence of this alleged vulnerability/exploit, and that Microsoft still have the burden of proof at this point.

Posted by: Mark Odell | December 8, 2006 2:34 PM | Report abuse

The comments to this entry are closed.

RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company