Microsoft fixes DNS flaw but warns of Word attacks

Microsoft is warning that a Word flaw is being used for targeted attacks, and has also issued four 'important' patches, including one for a potentially serious DNS flaw in the latest Patch Tuesday bulletin.

Microsoft is warning that a Word flaw is being used for targeted attacks, and has also issued four 'important' patches, including one for a potentially serious DNS flaw in the latest Patch Tuesday bulletin.

Users of an older version of Microsoft Word could have their computers compromised after downloading and opening a specially crafted .doc file, according to an advisory issued late Tuesday.

"Microsoft is investigating the public reports and customer impact," Microsoft said in its Security Advisory 953635.

Microsoft claims only targeted attacks have so far attempted to use this vulnerability against systems running Microsoft Word 2002 SP3. Only users of Microsoft Office Word 2002 SP3 are affected.

To become infected, a vulnerable user would have to open a specially crafted .doc document. An attacker using this vulnerability would then have the same user rights as the victim. If a victim were running as administrator, the attacker would gain full access to the compromised PC.

Microsoft's security response communications manager Bill Sisk said Microsoft could issue an update as part of its monthly Patch Tuesday program or it could issue an out-of-cycle update if required. Microsoft is still investigating the matter.

Workarounds Microsoft recommends include using Office Word 2003 Viewer or Office Word 2003 Viewer Service Pack 3 to open and view Microsoft Word files.

Microsoft encouraged customers who believe they may have been attacked to contact the "national law-enforcement agency in their country".

Patch Tuesday

The updates linked to in Tuesday's bulletins include a patch for a potentially serious underlying DNS flaw.

The flaw, which was discovered by security researcher Dan Kaminsky, affects multiple vendors, including Cisco. The Microsoft products affected by the flaw are detailed in Microsoft Security Bulletin MS08-037. DNS spoofing involves making a DNS entry point to a different IP address.

The spoofing vulnerability exists in Windows DNS clients and Windows DNS servers, and could allow an attacker to "quickly and reliably spoof responses and insert records into the DNS server or client cache, thereby redirecting internet traffic", Microsoft warned.

All supported versions of Microsoft Windows 2000, Windows XP, Windows Server 2003 and Windows Server 2008 are affected by the flaw. Microsoft claims its security update addresses the vulnerabilities by using "strongly random" DNS transaction IDs, using random sockets for UDP queries, and updating the logic used to manage the DNS cache.

However, this flaw affects many more vendors. According to US-CERT vulnerability note 800113, vendors known to be vulnerable to this flaw include Cisco, the Internet Software Consortium, Juniper Networks, Microsoft, Nominum, Red Hat and Sun. Other potentially affected vendors include Akamai, Apple, Debian/GNU Linux, Fedora, FreeBSD, Gentoo, HP, IBM, Motorola, Nokia and Ubuntu.

Microsoft's July Patch Tuesday also included bulletin MS08-040, which addresses vulnerabilities in Microsoft SQL server. The flaws are page reuse, buffer overflow and memory corruption vulnerabilities, and affect SQL Server 7.0, SQL Server 2000, SQL Server 2005, Microsoft Data Engine (MSDE) 1.0, Microsoft SQL Server 2000 Desktop Engine (MSDE 2000), Microsoft SQL Server 2005 Express Edition, Microsoft SQL Server 2000 Desktop Engine (WMSDE) and Windows Internal Database (WYukon).

Patch Tuesday also saw the release of bulletin MS08-038, which gave details of a saved-search vulnerability in Windows Explorer that affects multiple operating systems including Vista. Bulletin MS08-039 also gave details of cross-site scripting vulnerabilities in Outlook Web Access.