Microsoft security engineers are investigating attacks against a recently published Word vulnerability which may lead to remote system compromise. The code execution vulnerability is caused by a buffer overrun in the Microsoft Jet Database, or msjet40.dll.
Security researchers say that the vulnerability could be exploited by an attacker who successfully enticed a user to open a malicious Word file constructed to load the specially-crafted database file using msjet40.dll.
A successful exploit would allow an attacker to gain the same privileges as the local user. In a Web-based exploit, an attacker could host a malicious Web site, including compromised Web sites and sites that accept user-provided content, with a specially-crafted Word file that exploited the vulnerability.
While users could not be forced to visit the malicious Web sites, an attacker could persuade them to visit the malware hosting sites by clicking on a malicious link embedded in an e-mail or IM message.
Accounts with reduced user rights could be less affected than users with elevated administrative privileges, security researchers say.
Customers using Microsoft Word 2000 Service Pack 3, Word 2002 Service Pack 3, Word 2003 Service Pack 2, Word 2003 Service Pack 3, Word 2007 and Word 2007 Service Pack 1 on Windows 2000, Windows XP or Windows Server 2003 Service Pack 1 are vulnerable to the potential attacks.
However, Windows Server 2003 Service Pack 2, Windows Vista and Windows Vista Service Pack 1 are protected from attack due to the fact that they include a version of the Jet Database Engine that does not contain the flaw.
So far, Microsoft said that it is only aware of selectively-targeted attacks that have exploited the vulnerability, while other security experts say that they believe the risk is limited. "We have not seen the Microsoft Jet being exploited in the wild. We don't think it's very widespread at this point," said Alfred Huger, vice president of development for Symantec Security Response.
An advisory on the Microsoft Website said that the company is currently investigating the "public reports and customer impact" and whether additional applications could be affected by the error.
Upon completing the investigation, the company maintained it will take "appropriate action," which could include providing a security update during its monthly bulletin release or providing an out-of-cycle fix.
A SANS Institute posting advises users not to open or save Word files received from untrusted sources or "files that were received unexpectedly from trusted sources."
Security experts advise that customers should protect themselves from attack by keeping all software running with the latest updates, enabling firewalls, and installing and maintaining antivirus and antispyware.
While there are no patches that repair the flaw yet available, security experts recommend other remediation, such as installing controls that only allow access to privileged or authenticated parties.
"If (the Jet Database) is not actively in use it should be disabled," said Huger.
Meanwhile, Symantec security researchers maintain that the company "strongly encourages people to install patches" once they become available. |
