Microsoft Investigating Zero-Day Vulnerability in Microsoft Word

Microsoft announced yesterday that it is investigating new public reports of very limited, targeted attacks against Microsoft Word "zero-day" using a vulnerability in Microsoft Office 2000 and Microsoft Office XP. In order for this attack to be carried out, a user must first open a malicious Office file attached to an email or otherwise provided to them by an attacker.

An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less affected than users who operate with administrative user rights. The vulnerability cannot be exploited on Office 2007, Office 2003 or Word 2003 Viewer.

In a Web-based attack scenario, an attacker would have to host a Web site that contains an Office file that is used to attempt to exploit this vulnerability. In addition, compromised Web sites and Web sites that accept or host user-provided content could contain specially crafted content that could exploit this vulnerability. An attacker would have no way to force users to visit a malicious Web site. Instead, an attacker would have to persuade them to visit the Web site, typically by getting them to click a link that takes them to the attacker's site.

View: www.itnewsonline.com

         www.economictimes.indiatimes.com