New Word 2007 flaws, exploits released

Summary:Microsoft just can't seem to keep pace with hackers finding serious flaws in Office applications.Several new security bugs in the desktop productivity suite have been found and released to the public, including proof-of-concept Word 2007 .

Microsoft just can't seem to keep pace with hackers finding serious flaws in Office applications.

Several new security bugs in the desktop productivity suite have been found and released to the public, including proof-of-concept Word 2007 .docs that could potentially cause code-execution attacks.

The sample .docs have been posted to several known exploit sites, including Milw0rm.com and SecurityVulns.com.

Details on the actual vulnerabilities are scarce. Most appear to be simple denial-of-service issues that cause Word 2007 to crash when the file is opened.

A third bug points to an overflow in wwlib.dll (a core Office library) that could theoretically lead to arbitrary code execution.

The fourth bug released is a heap overflow in in the Microsoft Help subsystem. Again, code execution may be possible.

Microsoft is expected to ship five security bulletins later today to cover a range of Windows flaws but several known Office vulnerabilities will remain unfixed.

[UPDATE: April 10, 2007 at 3:36 PM] Microsoft says it is investigating these flaw reports. A statement from Redmond:

Microsoft is investigating new public reports of possible vulnerabilities in Microsoft Office. Microsoft is not aware of any attacks attempting to use the reported vulnerability or of customer impact at this time. Microsoft will continue to investigate the public reports to help provide additional guidance for customers as necessary.

Upon completion of this investigation, Microsoft will take the appropriate action to protect our customers, which may include issuing a security advisory or providing a security update through our monthly release process, depending on customer needs.

Topics: Microsoft, Security, Software

About

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues. He is currently security evangelist at Kaspersky Lab, an anti-malware company with operations around the globe. He is taking a leadership role in developing the company's online community initiative around secure content managem... Full Bio

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.