| Top
Security News |
Data Thieves Drop In On Your Phone
Spyware geared toward stealing data from a mobile device has been spotted accompanying phone-infecting viruses; this early effort probably signals more sophisticated attacks are in the offing.
Keeping An 'eEye' On Zero-Day Exploits
Marc Maiffret's eEye security firm has launched the Zero-Day Tracker, a website where the company will post and archive information on vulnerabilities hit by zero-day exploits. When a patch emerges...
BuddyProfile Sending AIM Users To Malware
A site that allows visitors to embed content in their AIM buddy profiles is being exploited by malware and adware distributors who create profiles laden with links to unwanted content. Adult and other undesired...
Holidays
Are Good For Phishing
All the online holiday shopping is fertile ground for online scammers looking to fence a few ill-gotten dollars from unsuspecting consumers Sophos says a Web poll (already skewed toward Web users)...
CAN-SPAM
Has Minimal Spam Impact
About three years after the debut of the CAN-SPAM act, very little impact has been made on the volume of spam deluging inboxes, a problem that has worsened each year...
Code Injection Beyond SQL
Although SQL injection attacks have been a threat to websites, other types of code injection could be equally as toxic XML and LDAP could be as prone to a malicious injection of code as a SQL...
|
|
|
 |
|
The zero-day exploit being actively attacked in Microsoft Word on the Windows and Mac platforms probably hit too late in Microsoft's cycle to be addressed with its monthly patch releases.
Microsoft publishes an advance bulletin advising of the forthcoming patches a few days in advance each month. They do this to give administrators notice that they should plan for some downtime for production machines when a reboot will be required after a patch installation.
In the latest version of this notice, Microsoft advised that a Critical flaw in Visual Studio will be patched, along with five patches for Windows. As is custom, Microsoft does not release details of the patches until their release.
When patches for Office will be part of an update,
Microsoft notes that as well. As security firm F-Secure blogged, there is no Office patch listed for December
12th:
Looks like we'll have to not open or save Word files from untrusted sources, or unexpectedly received from trusted sources, for another month. No one sends DOC files in e-mails anyway, right?
It's a frustrating situation, and Microsoft is downplaying
the Word flaw exploit activity as limited,
targeted attacks, according to Christopher Budd posting
for Microsoft on the company's Security Response Center blog:
...the goal of these limited, targeted attacks is to introduce malicious software on to the systems of the specific organizations that have been targeted. For example, in investigating the issue that we just issued Microsoft Security Advisory 929433 on, part of our investigation showed that the attacks were specifically attempting to introduce malicious software rather than propagate themselves to additional customers.
One of our goals when we issue a security advisory is to give you information to help you understand the risks posed by an issue. One thing we know that customers want to know about is what the scope of an attack is. Through our work with partners, with customers, and internal investigations, we're sometimes able to tell if an attack is a broad, random attack, or if it's a very limited, targeted attack.
When we're able to do this, we include it in our security advisory as another piece of information to help you understand what's going on, so you can make a better informed risk assessment.
As someone who routinely works with OpenOffice, it looks to me the risk assessment goes like this - Microsoft == high, non-Microsoft == not high.
To borrow a phrase from Steve Jobs, whose Mac platform is also vulnerable to the Word flaw in Office for Mac, here's one more thing. Proof of concept code to exploit the Windows Media ASX file format is making the rounds, so don't let the staff grab unknown Word documents or Media files either.
About
the Author:
David Utter is a business and technology writer for SecurityProNews, WebProNews, and InternetFinancialNews.
|
|
,
Inc. 2549 Richmond Rd. Lexington KY, 40509
