Microsoft Corp.'s Word 2003 and Excel 2003 can be crashed by attackers who feed the business applications malformed documents, Symantec Corp. reported Monday. In separate alerts sent to subscribers of its DeepSight threat system, Symantec warned that the bugs -- both discovered and disclosed by a Russian researcher with the moniker "sehato" -- could be exploited by attackers to bring down the Office applications. Microsoft did not immediately respond to an e-mail request for confirmation and comment.
"A remote attacker may exploit this vulnerability by presenting a malicious WMF file to a victim user," said Symantec's report on the Office 2003 flaw. "The issue is triggered when the application is used to insert the malicious file into a document." Specially crafted WMF (Windows Metafile) image files were the root of a major attack in late 2005 and early 2006 that was launched from hundreds of malicious Web sites and compromised thousands of PCs. This bug seems to be different from the 2005/2006 vulnerability. The Excel flaw can be leveraged by a malformed spreadsheet file rather than a WMF image, Symantec added.