Microsoft confirms Windows-Word attacks

Microsoft Corp. yesterday warned of a critical vulnerability that affects users of Word running on Windows 2000, XP and Server 2003 SP1 -- several weeks after one security company first reported an exploit and a day after a second vendor confirmed ongoing attacks.

In an advisory posted Friday, Microsoft acknowledged "public reports of very limited, targeted attacks" that exploit a bug in the Microsoft Jet Database Engine, a Windows component that provides data access to applications including Microsoft Access and Visual Basic.

According to Symantec Corp., however, the attacks Microsoft described used malicious Word 2000, 2002, 2003 and 2007 documents, which in turn call up the vulnerable Jet .dll.

"We believe that the issue being described [by Microsoft] is one described on March 20, 2008 by Elia Florio of Symantec Security Response," the security firm told customers of its DeepSight threat analysis network on Saturday. "He notes a recent discovery, by Panda Security, of a possible zero-day exploit observed in the wild."

News Source: ComputerWorld

Report a problem with article
Previous Story

Battlefield Arsenal Costs Real Cash

Next Story

Fujitsu to Release World's First 7200-RPM 320 GB 2.5" HDD

10 Comments

Commenting is disabled on this article.

You can jump to vista, spending a lot of money (and time) upgrading your system.
Or you can stop opening hideous files.

+1.

At least that's one sure thing MS improved (among many other features), for those who keep on insisting Vista is no better than XP. :P

(mrmckeb said @ #2)
Time to get Vista people :P It's obviously safer haha. This post isn't intended to cause a fight...

The Article
Microsoft said that users running Word on machines powered by Windows Vista and Windows Server 2003 SP2 are not at risk because those operating systems include a different version of Jet.

Looks like the solution isn't necessarily "Vista", but an updated version of the Microsoft Jet database engine.

If I can predict the future for a second here, let me guess that Microsoft will patch this with a Jet update, since that seems to be the source of the flaw, not the OS.

(Alex Bishop said @ #1)
I use open office :cool:


Yeah too bad this really is a vulnerability in the database engine that is included with windows, not really word per say... Using open office doesn't fix your Jet Database vulnerability...