| By Chris Mosby |
Although some missing patches are more important than others, and some have lain undiscovered for years, none of them should be ignored.
This week, flaws in MS Word and Internet Explorer could cause you trouble. Here’s how to avoid system upset.
Word flaw allows infected code execution
McAfee Avert Labs discovered in February a zero-day exploit in Microsoft Word 2000 that the company said had been used in a "very limited and targeted attack." This flaw was first believed to only cause a Denial of Service (DoS), but was later found to allow the execution of infected code as well.
Microsoft recently acknowledged this flaw in a security advisory and revealed that Word XP is also affected. The vulnerability is caused by a previously undisclosed error in the way Word parses documents. A user must open a hacked document for this flaw to be exploited, but if that occurs, infected code will be run with the same rights as the logged-on user.
What to do: Microsoft suggests that you not open or save Office files you receive from untrusted sources, or even those that that you receive unexpectedly from trusted sources. Though this is good advice to follow with any type of e-mail attachment, the vulnerability does not affect Office 2003 or Office 2007. Thus, it would make more sense to just upgrade Office to the latest version.
More information: CVE-2007-0870, US-CERT, ISS, SecurityTracker, SecurityFocus, FrSIRT, Secunia
IE ‘onunload’ flaw can trap users
A flaw in Internet Explorer (IE) 6 and 7 could allow a hacker to construct an infected Web page that would affect you. You could actually be trapped on the infected page, although it would appear that you had successfully navigated to another Web site.