News
Microsoft May Release Out-of-Cycle Patch for Word Flaw
Microsoft confirmed "very limited, targeted" attacks on an open Word security flaw. The company is researching a patch.
Late Friday, Microsoft confirmed "very limited, targeted" attacks
on an open Microsoft Word security flaw. The company is currently researching
a patch -- one that it may not wait for its regular Patch Tuesday to release.
The flaw affects most versions of Word that are not running on Windows Server 2003 SP2, Vista or Vista SP1. Hackers can execute buffer overrun attacks by taking advantage of a flaw in Microsoft's Jet Database Engine (Jet) in Word that can allow the remote execution of code, according to Microsoft's security advisory on the issue. Windows Server 2003 and Vista are not vulnerable as they use a different version of Jet.
Microsoft is also investigating whether other products that use Jet may be
vulnerable.
"Upon completion of this investigation, Microsoft will take the appropriate
action to help protect our customers. This may include providing a security
update through our monthly release process or providing an out-of-cycle security
update, depending on customer needs," the company said.
For now, Redmond has posted a workaround for the flaw in the security advisory that shows administrators how to restrict Jet from running as well as block .MDB attachments through Microsoft Exchange or other mail systems.
Customers could also be infected via the Web if they are lured into visiting
a Web site that "contains a specially crafted Word file that is used to
attempt to exploit this vulnerability."
Microsoft said that because successfully exploiting the flaw requires "customers
to take multiple steps" in order to be affected, the risk is "very
limited." A successful attack would mean that the hacker would gain the
same rights as the user of the machine.
About the Author
Becky Nagel is vice president of AI for 1105 Media, where she specializes in training internal and external customers on maximizing their business potential via a wide variety of generative AI technologies as well as developing cutting-edge AI content and events. She's the author of "ChatGPT Prompt 101 Guide for Business Uses," regularly leads research studies on generative AI business usage, and serves as the director of AI Boardroom, a new resource for C-level executives looking to excel in the AI era. Prior to her current position she was a technical leader for 1105 Media's Web, advertising and production teams as well as editorial director for a suite of enterprise technology publications, including serving as founding editor of PureAI.com. She has 20 years of enterprise technology journalism experience, and regularly speaks and writes about generative AI, AI, edge computing and other cutting-edge technologies. She can be reached at [email protected].