Taken directly from MSNBC.com
REDMOND, Wash., Aug. 22 — Microsoft Corp. said Thursday that “critical” security lapses in several of its marquee programs, including the Office productivity suite and the Internet Explorer Web browser, could put users at risk of having their systems crashed and their files read by online attackers.
THE WORLD’S No. 1 software maker said that an attacker, using e-mail or a Web page, could run commands on a user’s system to run programs, alter data and reformat the hard drive, as well as view file and clipboard contents. (MSNBC is a Microsoft - NBC joint venture.)
The problem can be fixed by downloading a software patch from Microsoft’s
TechNet Web site. The company issued a bulletin advising customers to install the patch immediately. “Microsoft is committed to keeping customers’ information safe, and is providing a patch that eliminates three vulnerabilities in Office Web Components,” Microsoft Security Program Manager Christopher Budd told Reuters in an e-mail.
Programs vulnerable to such attacks include Internet Explorer 5.01, 5.5 and 6.0; Microsoft Office 2000; Office XP; Money 2002 and Money 2003; and Project 2002, as well as server software related to such client software, Microsoft said.
Russ Cooper, head of security at TruSecure Corp., a computer security company, and editor of NTBugTraq, said that because Office is used by at least 100 million people, the risk of widespread attacks was significant.
“It’s important that users get the patch,” Cooper said. “Typically with these types of issues it will be six to nine months until we see a massive attempt to start exploiting it.” Microsoft, shaken by break-ins to its system and vulnerabilities in its software, launched a “trustworthy computing” campaign earlier this year to improve the security of all its software.
Since that initiative, which Chairman Bill Gates said had cost the company $100 million so far this year, Microsoft has issued at least 30 security bulletins for flaws in its software. Microsoft said it is not aware of any specific security breaches or the amount of any potential damage that might have occurred due to vulnerabilities in its software.