[ insider_reports_insider ]
Patch Tuesday May Not Close Word Flaw
David Utter
Staff Writer
2006-12-08
 Insider Reports RSS Feed
The zero-day exploit being actively attacked in Microsoft Word on the Windows and Mac platforms probably hit too late in Microsoft's cycle to be addressed with its monthly patch releases.
 | | Patch Tuesday May Not Close Word Flaw |  |
Microsoft publishes an advance bulletin advising of the forthcoming patches a few days in advance each month. They do this to give administrators notice that they should plan for some downtime for production machines when a reboot will be required after a patch installation.
In the latest version of this notice, Microsoft advised that a Critical flaw in Visual Studio will be patched, along with five patches for Windows. As is custom, Microsoft does not release details of the patches until their release.
When patches for Office will be part of an update, Microsoft notes that as well. As security firm F-Secure blogged, there is no Office patch listed for December 12th:
Looks like we'll have to not open or save Word files from untrusted sources, or unexpectedly received from trusted sources, for another month. No one sends DOC files in e-mails anyway, right?
It's a frustrating situation, and Microsoft is downplaying the Word flaw exploit activity as limited, targeted attacks, according to Christopher Budd posting for Microsoft on the company's Security Response Center blog:
...the goal of these very limited, targeted attacks is generally to introduce malicious software on to the systems of the specific organizations that have been targeted. For example, in investigating the issue that we just issued Microsoft Security Advisory 929433 on, part of our investigation showed that the attacks were specifically attempting to introduce malicious software rather than propagate themselves to additional customers.
One of our goals when we issue a security advisory is to give you information to help you understand the risks posed by an issue. One thing we know that customers want to know about is what the scope of an attack is. Through our work with partners, with customers, and internal investigations, we're sometimes able to tell if an attack is a broad, random attack, or if it's a very limited, targeted attack.
When we're able to do this, we include it in our security advisory as another piece of information to help you understand what's going on, so you can make a better informed risk assessment.
As someone who routinely works with OpenOffice, it looks to me the risk assessment goes like this - Microsoft == high, non-Microsoft == not high.
To borrow a phrase from Steve Jobs, whose Mac platform is also vulnerable to the Word flaw in Office for Mac, here's one more thing. Proof of concept code to exploit the Windows Media ASX file format is making the rounds, so don't let the staff grab unknown Word documents or Media files either.
---
Tag: Microsoft Word
Add to  Del.icio.us |  Digg |  Reddit |  Furl
Get all the updates - 
About the Author:
David Utter is a business and technology writer for SecurityProNews and WebProNews.
More insider_reports_insider Articles
Insider Reports RSS Feed
|
|
iEntry 10th Anniversary
RSS
Archive
