Microsoft is currently investigating a vulnerability in certain editions of its Word Software that couldopen millions of unprotected PCs to hacker attacks.
The vulnerability affects Word 2000, 2002, 2003, WordViewer 2003, Word 2004 for Mac, and Word 2004 version Xfor Mac. The free applications of Microsoft Works –versions 2004, 2005 and 2006 — are also vulnerable.
How Big?
As Microsoft is releasing little data, the scope of the problem is unclear. As few as 300,000users out of a potential universe of millions havesufficient firewall and antivirus defenses in placeto protect against incursions, estimates Ryan Sherstobitoff, producttechnology officer for Panda Software.
Even though the flaw is widespread in terms of the number ofproducts affected, the impact is not likely to beon the scale of a Blaster or Slammer worm, Randy Abrams, director of technical education at ESET, told TechNewsWorld. In those cases, code was executed without userinteraction.
“This is really more of anincident that should be used to remind people to becautious in handling attachments, rather than a high-profile threat,” he said.
Standard Precautions
Until a patch is released, Microsoft and security experts are cautioning users not to open unexpecteddocuments, especially those from unknown sources.
“Users, home and corporate, need to understand thateven if an e-mail appears to come from someone theyknow, it may not have actually been sent by thatperson,” Abrams warned. “Attachments that are not askedfor or expected should not be opened prior toconfirming with the sender that they actually did sendthe attachment and why.”
The primary consumer attack vectors will likely be documents sent to people that claim tocontain user names and passwords for porn sites; listsof activation codes for desirable software;information about a consumer’s bank, stock or otherfinancial account; pictures of celebrities; or jokes, Abrams said.
“History has taught us that theseare highly successful social engineering tactics,” heobserved. “The fact that Word documents are very commonlyexchanged make this vulnerability of concern.However,other means of tricking users into installingmalicious software are effective enough that malwarewriters may not see a need to expend energy on anattack that is likely to gain only marginal returns.”
More Mac users than usual might fall victim,since this user group is unaccustomed to malware andmay not be as vigilant, Sherstobitoff told TechNewsWorld, noting that it is generally unusual for Mac software to be affected.
“It is more difficult to runarbitrary code on the Mac’s underlying kernel than itis with a Windows OS,” he pointed out.
Corporations at Risk
Even though corporations are better prepared than individual users for onlinemalware, their systems may be at greater risk for attack, saidAbrams.
“For financially motivated attackers, itis not important to be able to exploit a millionmachines. Simply compromising one machine on anetwork can be enough to gain access to proprietarycorporate information. It is likely that this will bea small, but costly, attack vector,” he predicted.