Microsoft May Release Out-of-Cycle Patch for Word Flaw -- Visual Studio Magazine

Microsoft May Release Out-of-Cycle Patch for Word Flaw

Microsoft confirmed "very limited, targeted" attacks on an open Word security flaw. The company is researching a patch.

By Becky Nagel
03/24/2008

Late Friday, Microsoft confirmed "very limited, targeted" attacks on an open Microsoft Word security flaw. The company is currently researching a patch -- one that it may not wait for its regular Patch Tuesday to release.

The flaw affects most versions of Word that are not running on Windows Server 2003 SP2, Vista or Vista SP1. Hackers can execute buffer overrun attacks by taking advantage of a flaw in Microsoft's Jet Database Engine (Jet) in Word that can allow the remote execution of code, according to Microsoft's security advisory on the issue. Windows Server 2003 and Vista are not vulnerable as they use a different version of Jet.

Microsoft is also investigating whether other products that use Jet may be vulnerable.

"Upon completion of this investigation, Microsoft will take the appropriate action to help protect our customers. This may include providing a security update through our monthly release process or providing an out-of-cycle security update, depending on customer needs," the company said.

For now, Redmond has posted a workaround for the flaw in the security advisory that shows administrators how to restrict Jet from running as well as block .MDB attachments through Microsoft Exchange or other mail systems.

Customers could also be infected via the Web if they are lured into visiting a Web site that "contains a specially crafted Word file that is used to attempt to exploit this vulnerability."

Microsoft said that because successfully exploiting the flaw requires "customers to take multiple steps" in order to be affected, the risk is "very limited." A successful attack would mean that the hacker would gain the same rights as the user of the machine.

About the Author

Becky Nagel serves as vice president of AI for 1105 Media specializing in developing media, events and training for companies around AI and generative AI technology. She also regularly writes and reports on AI news, and is the founding editor of PureAI.com. She's the author of "ChatGPT Prompt 101 Guide for Business Users" and other popular AI resources with a real-world business perspective. She regularly speaks, writes and develops content around AI, generative AI and other business tech. Find her on X/Twitter @beckynagel.

Printable Format

comments powered by Disqus

Featured

Visual Studio's AI Future: Copilot .NET Upgrades and More

At this week's Microsoft Ignite conference, the Visual Studio team showed off a future AI-powered IDE that will leverage GitHub Copilot for legacy app .NET upgrades, along with several more cutting-edge features.
PowerShell Gets AI-ified in 'AI Shell' Preview

Eschewing the term "Copilot," Microsoft introduced a new AI-powered tool for PowerShell called "AI Shell," available in preview.
GitHub Research Claims Copilot Code Quality Gains in Addition to Productivity

GitHub says new research proves its Copilot AI tool can improve code quality, following earlier reports that said it boosts developer productivity -- and has a retort for contrarian studies.
Visual Studio Devs Demand Claude 3.5 Sonnet AI: 'Why Is VSC Always Preferred?'

The brand-new Visual Studio 2022 v17.12 lets devs specify the AI model they want to use with the baked-in GitHub Copilot, but some are clamoring for more options, such as the latest/greatest Claude 3.5 Sonnet model from Anthropic that is available in VS Code.
SQL Database in Microsoft Fabric in Preview for Faster AI Apps

Microsoft's early embrace of advanced AI in its dev tooling continues apace with the new public preview of SQL database in Microsoft Fabric, the company's analytics/data platform.