Late breaking news: Microsoft investigates reports of Office Word 2002 SP 3 exploited in the wild

From Bill Sisk, security response communications manager for Microsoft:

Microsoft Security Advisory (953635)
Vulnerability in Microsoft Word Could Allow Remote Code Execution
Published: July 8, 2008

Microsoft is investigating new public reports of a possible vulnerability in Microsoft Office Word 2002 Service Pack 3. Our initial investigation indicates that customers who use all other supported versions of Microsoft Office Word, Microsoft Office Word Viewer, Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats, and Microsoft Office for Mac are not affected.

At this time, Microsoft is aware of limited, targeted attacks that attempt to use this vulnerability. While Microsoft Office Word 2000 does not appear vulnerable to this issue, Word 2000 may unexpectedly exit when opening a specially crafted .doc file that the attacker is using in an attempt to exploit the vulnerability.

Interesting, I’m wondering if this is a file format flaw. After Microsoft released their file format specs, one could expect this type of thing might come to light, BUT that doesn’t mean Microsoft releasing those specs was a bad thing. I think that in the future, if not right away, Microsoft will see a good number of flaws reported to them on these file format spec flaws, which is GOOD because that means the hackers aren’t sitting on the flaws. It’s, of course, just speculation that it’s a file format flaw though.

Read on for more details on the flaw…

The vulnerability is described as:

An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less affected than users who operate with administrative user rights.

The vulnerability cannot be exploited automatically through e-mail. For an attack to be successful a user must open an attachment that is sent in an e-mail message.

In a Web-based attack scenario, an attacker would have to host a Web site that contains a specially crafted Word file that is used to attempt to exploit this vulnerability. In addition, compromised Web sites and Web sites that accept or host user-provided content could contain specially crafted content that could exploit this vulnerability. An attacker would have no way to force users to visit these Web sites. Instead, an attacker would have to persuade users to visit the Web site, typically by getting them to click a link in an e-mail message or Instant Messenger message that takes users to the attacker’s site.

Yeah, that or maybe they use Safari on Windows to drop a Word document on the victim’s system that is titled something to entice the user to open the file. Don’t hate on me Mac fans, I love my MacBook and my iPhone, I’m just saying it’s possible.

The advisory continues:

Microsoft is investigating the public reports and customer impact. Upon completion of this investigation, Microsoft will take the appropriate action to help protect our customers. This may include providing a security update through our monthly release process or providing an out-of-cycle security update, depending on customer needs.

Microsoft continues to encourage responsible disclosure of vulnerabilities. Microsoft believes the commonly accepted practice of reporting vulnerabilities directly to a vendor serves everyone’s best interests. This practice helps to ensure that customers receive comprehensive, high-quality updates for security vulnerabilities without exposure to malicious attackers while the update is being developed.

Customers who believe that they have been attacked can obtain security support at and should contact the national law enforcement agency in their country. Customers in the United States can contact Customer Service and Support at no charge using the PC Safety hotline at 1-866-PCSAFETY. Additionally, customers in the United States should contact their local FBI office or report their situation at

Hmm… that’s cool, I didn’t know that we had a line that regular people could call when they’re getting attacked, probably a good thing for people to note.

Mitigating Factors:

This vulnerability cannot be exploited on the following Microsoft Office software:

  • Microsoft Office Word 2000 Service Pack 3
  • Microsoft Office Word 2003 Service Pack 2 and Microsoft Office Word 2003 Service Pack 3
  • Microsoft Office Word 2007 and Microsoft Office Word 2007 Service Pack 1
  • Microsoft Office Word Viewer 2003 and Microsoft Word Viewer 2003 Service Pack 3
  • Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats and Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats Service Pack 1
  • Microsoft Office for Mac 2004
  • Microsoft Office for Mac 2008

We’ll see what comes of this.

[Source: zdnet]