You are here: silicon.com > Software > Security Strategy

Security Strategy

Flaw in Office has DoS attack potential

'Why didn't you tell us first?' moans Microsoft...

Printer Friendly Email Story RSS

By Ina Fried

Published: 8 October 2004 09:25 BST

A vulnerability has been found in a Microsoft's popular Office Suite - MS Word in particular - that could give a malicious third party control of your machine

A security company warned on Thursday that a flaw in Microsoft Office could allow a denial-of-service attack to be executed on systems running somewhat older versions of the popular productivity suite.

Secunia issued an advisory saying a buffer overrun flaw has been found in Office 2000, and potentially also in Office XP, that could allow hackers to take over a user's system. The company rated the flaw as "highly critical".

The security firm said that vulnerability is caused by an error in the way Microsoft Word manages input when parsing document files. It said the flaw could be exploited through a specially crafted document and recommends that, until a fix is found, users only open trusted Word documents.

Microsoft said it was investigating the issue, but also took to task the bug's discoverer - which Secunia identified only as "HexView" - for not bringing it to Microsoft's attention before going public.

"We have not been made aware of any active exploits of the reported vulnerabilities or customer impact at this time, but we are aggressively investigating the public reports," a Microsoft representative said in an email. But the software maker said it was concerned that it had not been made aware of the flaw prior to it being made public.

"Microsoft is concerned that this new report of a vulnerability in Word was not disclosed responsibly, potentially putting computer users at risk," the representative said. "We believe the commonly accepted practice of reporting vulnerabilities directly to a vendor serves everyone's best interests, by helping to ensure that customers receive comprehensive, high-quality updates for security vulnerabilities with no exposure to malicious attackers while the patch is being developed."

Some in the security community have taken Microsoft to task for the time it takes to develop patches.

Microsoft said that once it completes its investigation, it will decide what, if any, action to take. Options include a fix as part of the company's regular monthly patch releases or an unscheduled fix if the vulnerability warrants it.

Ina Fried writes for CNET News.com.

Add Comment Add comment  Printer Friendly Print story with   Email Story Email story  
In
Applications

Operating Systems

SOA/Web Services

Malware

Security Strategy


Reader Comments

I would gladly inform Microsoft of any errors I fi...
David de Vere Webb

Why are the exploits there in the first place? And...
Goten Xiao

Do Microsoft seriously expect us to believe that t...
Lionel A Smith

Click here to see all

Related Links

XP SP2 escapes critical Windows security flaw

"Highly critical" IE flaw unplugged by XP SP2

XP Service Pack 2: First security flaws found

Microsoft patches Exchange security flaw

Microsoft patches 'the class of 2007'

  1. Zones
  2. Management
  3. Networks
  4. Software
  5. IT Services
  6. Hardware
  1. Verticals
  2. Public Sector
  3. Financial Services
  4. Retail & Leisure

Peter Cochrane Peter Cochrane's Blog: Is convergence a fiction? Or could it finally be happening…

Clive Longbottom Quocirca's Straight Talking: A game of two halves Microsoft Virtualisation scores while its SOA bores...


Viacom vs Google: YouTube privacy fears

Google Talk finds a home on iPhone

ePassport upgrade scaled back

Barclays gives online users free security software

Probe into loss of 21,000 hospital patient details

Zittrain: Android holds the key to free future



  • Jobs
Security Consultant Ethical Hacking / Penetration Testing - London

Responsibilities: - Deliver security assessment services including network scanning, vulnerability testing, penetration testing, search engine ...

Websphere IT Specialist / Architect

Trouble shoot and fix technical problems, liaising with product management and technical support to organise a patch if necessary. Understand and be ...

VBA developer

Suite. My client, a Liverpool based public sector organisation are looking for a VBA specialist for a 3 6 month period. Essential skills: Strong ...

CIO50 2008
The silicon.com CIO50 2008 profiles the most influential and innovative tech chiefs in the UK across all industries and organisation size, from the biggest FTSE100 companies to high growth dot-com start ups and the public sector. The list was voted on by the UK CIO community and a panel of experts. Find out more in our latest special report.

College classrooms go high-tech

Travis Perkins builds its tech future

Thin clients switch on digitally excluded

MSDN Webcast: Demystifying Office Business Applications for the Developer (Level...

Understanding SOA and Business Mashups: Automate. Coordinate. Collaborate. No coding...

Tips and Tricks for Office 2007

MSDN Webcast: Demystifying Office Business Applications for the Business Analyst...

Stories from the web...


Peter Cochrane's Video Blog: Power outrage

Business agility through flexible IT

What are you really saying?


London data centres hit by credit crunch

Ofcom: Mobile broadband driving interest in fibre

3G iPhone to storm enterprise world, says O2

MoD IT - late and over budget

Terrorists turning to tech, warns gov't




Quick Sitemap Links: