'Why didn't you tell us first?' moans Microsoft...
By Ina Fried
Published: 8 October 2004 09:25 GMT
A vulnerability has been found in a Microsoft's popular Office Suite - MS Word in particular - that could give a malicious third party control of your machine
A security company warned on Thursday that a flaw in Microsoft Office could allow a denial-of-service attack to be executed on systems running somewhat older versions of the popular productivity suite.
Secunia issued an advisory saying a buffer overrun flaw has been found in Office 2000, and potentially also in Office XP, that could allow hackers to take over a user's system. The company rated the flaw as "highly critical".
The security firm said that vulnerability is caused by an error in the way Microsoft Word manages input when parsing document files. It said the flaw could be exploited through a specially crafted document and recommends that, until a fix is found, users only open trusted Word documents.
Microsoft said it was investigating the issue, but also took to task the bug's discoverer - which Secunia identified only as "HexView" - for not bringing it to Microsoft's attention before going public.
"We have not been made aware of any active exploits of the reported vulnerabilities or customer impact at this time, but we are aggressively investigating the public reports," a Microsoft representative said in an email. But the software maker said it was concerned that it had not been made aware of the flaw prior to it being made public.
"Microsoft is concerned that this new report of a vulnerability in Word was not disclosed responsibly, potentially putting computer users at risk," the representative said. "We believe the commonly accepted practice of reporting vulnerabilities directly to a vendor serves everyone's best interests, by helping to ensure that customers receive comprehensive, high-quality updates for security vulnerabilities with no exposure to malicious attackers while the patch is being developed."
Some in the security community have taken Microsoft to task for the time it takes to develop patches.
Microsoft said that once it completes its investigation, it will decide what, if any, action to take. Options include a fix as part of the company's regular monthly patch releases or an unscheduled fix if the vulnerability warrants it.
Ina Fried writes for CNET News.com.
I would gladly inform Microsoft of any errors I fi...
David de Vere Webb
Why are the exploits there in the first place? And...
Goten Xiao
Do Microsoft seriously expect us to believe that t...
Lionel A Smith
The requirements for the role are - Financial management experience (budget & forecast management) Superior communication skills High attention to ...
This may include experience of hardware break / fix, software break / fix, software installation, password sets and imaging. Helpdesk Analyst / 1st ...
You will be responsible for all security incidents, incident response, IDS analysis, threats and tracking vulnerabilities of the infrastructure.Due ...
Agenda Setters 2009
Welcome to the ninth annual Agenda Setters poll – silicon.com's list of the top 50 most influential individuals in the technology and IT industries, from techies and CIOs to entrepreneurs and business leaders. Find out more in our latest special report.
Stories from the web...
Copyright © 2008 CBS Interactive Limited. All rights reserved. Top of page
Digg
Slashdot
Del.icio.us
Stumble
Reddit
RSS Feeds
Clive Longbottom Windows 7: Not perfect - but ready for prime time Microsoft's latest OS fixes most of Vista's ills - but still has challenges ahead
Stephen Kleynhans Mind the details with Windows 7 Just because it might work better than Vista, it doesn't mean you can be sloppy