Microsoft Warns On Exploit Affecting Word

    March 22, 2008
    WebProNews Staff

An indirect threat to several versions of Word via the Microsoft Jet Database Engine emerged as zero-day attacks began against the exploit.

Microsoft cited limited, targeted attacks affecting the vulnerability in Jet Database Engine, saying the exploits are not widespread. Users of Windows Server 2003 Service Pack 2, Windows Vista, and Windows Vista Service Pack 1 are not vulnerable to the buffer overrun being attacked, Bill Sisk said on the Microsoft Security Response Center blog.

“Our initial investigation has shown that this vulnerability affects customers using Microsoft Word 2000 Service Pack 3, Microsoft Word 2002 Service Pack 3, Microsoft Word 2003 Service Pack 2, Microsoft Word 2003 Service Pack 3, Microsoft Word 2007 and Microsoft Word 2007 Service Pack 1 on Microsoft Windows 2000, Windows XP, or Windows Server 2003 Service Pack 1,” said Sisk.

In the formal advisory about the Jet issue, Microsoft noted the attack requires user interaction:

Current attacks require customers to take multiple steps in order to be successful; we believe the risk to be limited.

In a Web-based attack scenario, an attacker would have to host a Web site that contains a specially crafted Word file that is used to attempt to exploit this vulnerability. In addition, compromised Web sites and Web sites that accept or host user-provided content could contain specially crafted content that could exploit this vulnerability.

An attacker would have no way to force users to visit these Web sites. Instead, an attacker would have to persuade users to visit the Web site, typically by getting them to click a link in an e-mail message or Instant Messenger message that takes users to the attacker’s site.

As we regularly suggest at SecurityProNews, avoid the temptation to visit links or open files delivered in email from unknown or suspicious senders. Microsoft, meanwhile, urges people to report security issues to it directly, rather than publicizing them and laying the groundwork for zero-day exploits.