Zero-day attack hits Word

By Joris Evers on 16 February 2007

A new, yet-to-be-patched security hole in Word is being used in targeted cyberattacks, Microsoft has warned.

When a user opens a rigged Word file, it may corrupt system memory in such a way that an attacker could gain complete control over the PC, Microsoft said in a security advisory posted late Wednesday. Office 2000 and Office XP are at risk, the company said. The two recent versions, Office 2003 and 2007, are not affected.

As with most of the Office vulnerabilities, an attacker would have to trick a user into opening a malicious file to be successful. The vulnerability is being exploited in "very limited, targeted attacks," Microsoft said. A security update to repair the problem is in the works, it added.

Word of the new flaw comes a day after Microsoft released updates for nine other Office-related vulnerabilities. Five of them were zero-day flaws, or security holes that have been publicly disclosed but not fixed.

Security experts have said that limited-scale attacks are the most dangerous. Widespread worms, viruses or Trojan horses sent to millions of mailboxes are typically not a grave concern, because they can be blocked. But targeted Trojan horses, especially those aimed at specific businesses, have become nightmares as they can fly under the radar.

Cybercrooks have found that they can take advantage of Microsoft's security update cycle by timing new attacks right before or just after "Patch Tuesday" -- the second Tuesday of each month when the software maker releases its fixes. Some security watchers have coined the term "zero-day Wednesday" to describe that strategy.

E-mail this
Print this
Share this...
- del.icio.us
- digg this
- Reddit
- Slashdot
- StumbleUpon

Join CNET.com.au Free newsletters, post to forums and win prizes. Join now - it's free and easy!

Related links

Protect your spreadsheets: Hackers attack Excel

Microsoft has issued a security advisory warning that attackers are targeting versions of its Office Excel with vulnerabilities.
Windows Mobile flaws could crash phones

A security firm has found a pair of security bugs in Microsoft's Windows Mobile which, if exploited, could crash phones and other devices running the software.
Patch Tuesday resumes with 'critical' Windows fix

Microsoft on Tuesday plans to release five security bulletins, four of which will address Windows flaws.
Internet Explorer's shrinking numbers

There's a new version of Internet Explorer coming this month, complete with tabbed browsing and built-in antiphishing technology, but will the new features be enough to shore up the browser's flagging support?

User comments
Leave a comment

┼
17/02/2007 03:33 PM

y is it zero-day?

Report offensive content

Comment made on:
17/02/2007 04:34 PM

Yeah, why is it called a "Zero-day attack"?

Report offensive content

Promythyus
18/02/2007 01:52 AM

because is was started on "Zero-Day Wednesday, the day AFTER Microshit send out their fornightly patch, on tuesdat, therefore getting 2 weeks immunity from MS patches

Report offensive content