14 DAY TRIAL // The ubiquity of the Office productivity suite along that of Windows makes Microsoft's flagship products some of the preferred targets for attacks. In this regard, the Redmond giant warned Office users of new exploits identified in the wild targeting Microsoft Office Word 2002 SP3. Bill Sisk, Microsoft Security Response Center Communications Manager, was reserved in throwing the blame on Office and revealed that a vulnerability in the Word component of the productivity suite has yet to be confirmed.
Sisk referred only to a "possible vulnerability within Microsoft Office Word which could allow for remote code execution. Our investigation this far has shown that this vulnerability affects Microsoft Office Word 2002 Service Pack 3 only. At this time, we are aware of limited, targeted attacks attempting to use the reported vulnerability, but we will continue to track this issue".
The attack is carried out through malicious .DOC files which the victim has to execute in order for an attacker to successfully exploit the issue. Microsoft did not reveal the entire impact of the exploits as the investigation is still underway, but it is clear that users are dealing with a Critical vulnerability. According to the software giant, exploits of the security flaw will also cause Office Word 2000 to crash but, in this case, the attacks are limited to denial of service scenarios.
"Our initial investigation indicates that customers who use all other supported versions of Microsoft Office Word, Microsoft Office Word Viewer, Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats, and Microsoft Office for Mac are not affected," Microsoft informed.
More specifically, Word in Office 2000 SP3, Office 2003 SP2 and SP3, Office 2007 SP1, Office for Mac 2004 and 2008, as well as Office Word Viewer 2003, and Office Compatibility Pack for Office 2007 are not affected by the issue. As a workaround, Microsoft is advising users of Word 2002 SP3 to access Office Word 2003 Viewer or Office Word 2003 Viewer SP3 in order to open and view .DOC files.
"We will continue to monitor the situation and post updates to the advisory and [will provide updates] as we become aware of any important new information. In the meantime, we encourage customers to review the advisory and implement the workarounds," Sisk added.