by Nathan McFeters
July 8th, 2008 @ 8:40 pm

From Bill Sisk, security response communications manager for Microsoft:
Microsoft Security Advisory (953635)
Vulnerability in Microsoft Word Could Allow Remote Code Execution
Published: July 8, 2008

Microsoft is investigating new public reports of a possible vulnerability in Microsoft Office Word 2002 Service Pack 3. Our initial investigation indicates that customers who use all other supported versions of Microsoft Office Word, Microsoft Office Word Viewer, Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats, and Microsoft Office for Mac are not affected.

At this time, Microsoft is aware of limited, targeted attacks that attempt to use this vulnerability. While Microsoft Office Word 2000 does not appear vulnerable to this issue, Word 2000 may unexpectedly exit when opening a specially crafted .doc file that the attacker is using in an attempt to exploit the vulnerability.

Interesting, I’m wondering if this is a file format flaw. After Microsoft released their file format specs, one could expect this type of thing might come to light, BUT that doesn’t mean Microsoft releasing those specs was a bad thing. I think that in the future, if not right away, Microsoft will see a good number of flaws reported to them on these file format spec flaws, which is GOOD because that means the hackers aren’t sitting on the flaws.