Microsoft fixes fatal Office flaw

Microsoft Corp. has released its monthly set of security patches, fixing a critical flaw in Office.

Attackers could exploit the bug by tricking Office users into opening a maliciously encoded .pub document, which would then allow attackers to run unauthorized software on a victim’s PC. These .pub documents are created by Microsoft’s Publisher software, an Office component used for designing print and online business publications. The flaw is described at thisWeb site.

Microsoft rates the bug as critical for Publisher 2000, but this warning has been downgraded to “important” for the Publisher 2002 and Publisher 2003 products.

Although Publisher is the application being patched, Office users should also be mindful of the issue because Publisher is part of the Office Professional Edition suite, said Christopher Budd, a program manager with Microsoft’s Security Response Center.

Some security experts expected Microsoft to fix a similar bug in Word, which has been used by online attackers over the past few weeks, but that problem remains unfixed.

Microsoft acknowledged the Word problem last week but was unable to run a fix through its quality assurance tests in time for September’s updates, according to Budd. “It was just not feasible from an engineering standpoint … to get the quality testing in,” he said.

Both the Word and Publisher bugs rely on the same type of attack to work: an attacker e-mails a malicious document and somehow tricks the victim into clicking on the attachment.

Security experts have been seeing more of these Office flaws exploited of late. “This is one of the trends that we have observed,” said Amol Sarwate, director of the Qualys Inc. vulnerability research lab. “The growing number of client-side vulnerabilities where you have a malformed Publisher file or Word file or Excel file.”

Tuesday’s patches also include less-critical fixes for two Windows components: the PGM (Pragmatic General Multicast) protocol used by Microsoft’s Reliable Multicast Program software to transfer data, and the Windows Indexing service, which is used by the operating system’s search engine.

More information on Microsoft’s security bulletins can be found at this Web site.

September may seem like a bit of a reprieve for harried system administrators who were given 19 updates to test and deploy over the past two months. Microsoft was forced to reissue one of its August patches after it caused Internet Explorer to crash when working with a Web-based enterprise applications such as PeopleSoft and Siebel.

But before Microsoft patchers get too relaxed, they should brace for the possibility of another patch later this month, Qualys said. Because attackers are actively exploiting the Word problem, Sarwate believes that Microsoft may issue an “out-of-cycle” patch for the problem, ahead of its next scheduled security updates, which are due Oct. 10.

That prospect seems unlikely, however.

Microsoft’s Budd characterized the Word attacks as “very limited in terms of scope,” saying, “at this point in time, we’ve not made any determination to do anything out-of-cycle.”

Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.


Jim Love, Chief Content Officer, IT World Canada

Featured Download

Featured Articles

Cybersecurity in 2024: Priorities and challenges for Canadian organizations 

By Derek Manky As predictions for 2024 point to the continued expansion...

Survey shows generative AI is a top priority for Canadian corporate leaders.

Leaders are devoting significant budget to generative AI for 2024 Canadian corporate...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now