 | By Chris Mosby Well, here we are, another monthly patch day has come and gone this week. After the smoke clears, as usual, we have to figure out what holes are left that weren’t patched this time around. |
Who decides which Word/Windows holes to fix?
One of these days, I really hope that I have the opportunity to hold a discussion with some of the people over at Microsoft. I’d like to find out how they decide what gets patched and what doesn’t.
In the meantime, we’ll just have to wonder — and try to clean up this month’s list of known holes that didn’t get closed. This time around, Microsoft Word is the big concern.
Infected .doc files can get you via Word
A vulnerability in Microsoft Works 2004-2006, Word 2003 Viewer, and all versions of Microsoft Word except 2007, was recently reported in Microsoft security advisory 929433. The advisory was issued after Microsoft began investigating reports of “limited” attacks that are already exploiting the hole.
This flaw is due to an unidentified error in how Word handles documents. The error can cause memory corruption and allow infected code to run with the same rights as the user. A hacker trying to compromise computers would, of course, have to get a user to open an infected document in order to take of advantage of this exploit.
What to do: Microsoft, as usual, gives you the old chestnut, “Don’t open Word files that you receive from untrusted sources or that are received unexpectedly from trusted sources.” Now, this is good advice, no matter what you get in e-mail — but it doesn’t fix the problem. To do that, you could go out and buy Office 2007, which isn’t vulnerable to the hack, or simply hope Microsoft releases a patch for older versions of Word soon.
Related posts:
