Third Word hole in ten days

A third unpatched security hole has surfaced in Word. Attackers can use specially prepared documents to infect a computer when it opens them. A first exploit showing how to overwrite the stack has already surfaced publicly. So far attempts have only caused Word to crash. Other attackers have already attempted target exploits of the hole to smuggle code onto computers. McAfee reports that on Sunday three employees of a well-known company were attacked through mails with rigged Word files attached.

Microsoft has been informed of the problem and is investigating it. However the Security Response Team's blog provides no further information. As with the previous two holes reported for Word, very few details are available. Security vendor eEye, writing in its zero day tracking list, is presuming that the hole is a new one, although it does not completely dismiss the idea that the available exploit is just a variant of the two already reported holes. Yet the last six months have shown that exploits for holes in Office tend to pop up based on a monthly rhythm. Three holes in eight days are therefore not really that surprising, given that last summer holes for PowerPoint turned up unusually often.

No patch has been released--for any of the three holes. Users should consider switching to other products, such as OpenOffice. Where that is not possible, Word documents, no matter what their source, should only be opened after discussion with the sender or author. Users could protect themselves against infection by the previous holes in Word by activating the Safe Mode. It remains unclear whether that also helps against the new holes.

See also:

• Word 12122006-djtest.doc, bug report on eEye
• Vulnerability in Word Could Allow Remote Code Execution, Microsoft Security Advisory

(trk)