Microsoft confirms active Word attacks

Only hours after it fixed nine vulnerabilities in several of its programs, Microsoft late Tuesday confirmed that attackers are exploiting an unpatched bug in Word.

In a security advisory it issued shortly before 10 p.m. EST, the Microsoft Security Response Center (MSRC) said attackers were exploiting a flaw in Word 2002. However, MSRC spokesman Bill Sisk downplayed the threat. “At this time, Microsoft is aware only of limited, targeted attacks that attempt to use this vulnerability,” Sisk said in an e-mail.

[ See recent related stories: “Symantec warns of new Word attack” and “Microsoft patches security bugs” ]

As is its practice, Microsoft provided few details of the vulnerability other than to say that it could be triggered by rigged Word documents if the user opened them. The company did not say how the in-the-wild attacks were delivering the malicious .doc files, but if the past is any indicator, criminals are sending malformed files as e-mail attachments.

“When a user opens a specially crafted Microsoft Word file that has malformed data, it may corrupt system memory in a way that could be leveraged by an attacker to execute arbitrary code,” the advisory read.

According to Microsoft, only Word 2002 contains the vulnerability. Other versions of the popular word processing program — including Word 2000, Word 2003, and Word 2007 on Windows, and Word 2004 and Word 2008 on the Mac — are not affected. Word 2003 Viewer, a free viewing- and printing-only tool, is also safe to use, said Microsoft.

In lieu of a patch, the MSRC advisory recommended that users turn to Word 2003 Viewer to open and view Word files. Sisk said that a patch may be forthcoming, but did not specify a timetable.

Earlier Tuesday, Symantec warned that it had seen attackers exploiting an unpatched bug in Word, but the security firm had offered even less information than Microsoft did hours later.

Word has been patched twice already this year, most recently in May when Word 2000, 2002, 2003, and 2007 on Windows, and Word 2004 and Word 2008 were fixed to stymie attacks using other types of malicious documents. Office bugs, in general, and Word vulnerabilities, in particular, have regularly been exploited over the last three years.

Tuesday’s advisory was the second one that Microsoft issued this week. On Monday, the company warned that other attackers were exploiting a flaw in the Snapshot Viewer ActiveX control bundled with all versions of Access, Office’s database program, except the newest edition, Access 2007.

Also Tuesday, Microsoft released four security updates that patched nine vulnerabilities, but none patched flaws in Office.

Computerworld is an InfoWorld affiliate.