Results 1 to 2 of 2

Thread: Flaw found in older Office versions

  1. #1
    AO French Antique News Whore
    Join Date
    Aug 2001
    Posts
    2,126

    Flaw found in older Office versions

    A security company warned Thursday that a flaw in Microsoft Office could allow a denial-of-service attack to be executed on systems running somewhat older versions of the popular productivity suite.

    Secunia issued an advisory saying a buffer overrun flaw has been found in Office 2000, and potentially also in Office XP, that could allow hackers to take over a user's system. The company rated the flaw as "highly critical."

    The security firm said that vulnerability is caused by an error in the way Microsoft Word manages input when parsing document files. It said the flaw could be exploited through a specially-crafted document and recommends that, until a fix is found, users only open trusted Word documents.

    Microsoft said it was investigating the issue, but also took to task the bug's discoverer--which Secunia identified only as "HexView"--for not bringing it to Microsoft's attention before going public.

    "We have not been made aware of any active exploits of the reported vulnerabilities or customer impact at this time, but we are aggressively investigating the public reports," a Microsoft representative said in an e-mail. But the software maker said it was concerned that it had not been made aware of the flaw prior to it being made public.

    "Microsoft is concerned that this new report of a vulnerability in Word was not disclosed responsibly, potentially putting computer users at risk," the representative said. "We believe the commonly accepted practice of reporting vulnerabilities directly to a vendor serves everyone's best interests, by helping to ensure that customers receive comprehensive, high-quality updates for security vulnerabilities with no exposure to malicious attackers while the patch is being developed."

    Some in the security community have taken Microsoft to task for the time it takes to develop patches.

    Microsoft said that once it completes its investigation, it will decide what, if any, action to take. Options include a fix as part of the company's regular monthly patch releases or an unscheduled fix if the vulnerability warrants it.
    Source : http://news.zdnet.com/2100-1009_22-5401814.html
    -Simon \"SDK\"

  2. #2
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,188
    Hmmm,

    For once I think that Microsoft have the (slightly) morally higher ground It is irresponsible to release details of vulnerabilities before the vendor has been informed.

    I wonder if Office97 is affected, that is still in common use around here. Having looked at Office from 97 through to 2003 I really don't see much justification in upgrading unless you are a real "power user" of the product...........and I guess that rules out at least 80%?

    OH well /me goes to find 5.25" floppies with Word for DOS 1.0 on it...........now that would be a real DOS attack?

    Thanks for the heads up Simon

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •