On the same day Microsoft released its biggest batch of security patches in more than five years, it also warned Windows users of a critical bug that it didn’t get around to fixing.
In an advisory posted Tuesday, Microsoft said that “limited and targeted” attacks are in progress by hackers exploiting an unpatched vulnerability in the WordPad Text Converter, a tool included with all versions of Windows. The flawed converter handles Microsoft Word 97 files on Windows 2000 Service Pack 4 (SP4), XP SP2, Server 2003 SP1 and SP2.
Newer versions of Windows — XP SP3, Vista and Server 2008 — are not vulnerable to the bug, however.
WordPad is a basic word processor that’s been bundled with Microsoft’s operating system since Windows 95. The converter allows people who don’t have the company’s Word application to open documents in Windows Write, Word 6.0, Word 97, Word 2000 and Word 2002 formats.
Microsoft said that the WordPad converter bug requires some help from the user, who must be tricked into actually opening a malicious file — most likely delivered as an e-mail attachment.
It also gave users equipped with Word some additional advice about how to block attacks. “When Microsoft Office Word is installed, Word 97 documents are by default opened using Word, which is not affected by this vulnerability. However, an attacker could rename a malicious file to have a Windows Write (.wri) extension, which would still invoke WordPad. This file type can be blocked at the Internet perimeter,” the advisory said.
As it almost always does in its advisories, Microsoft was vague about whether it plans to patch the problem. “Upon completion of this investigation, Microsoft will take the appropriate action to help protect our customers,” the boilerplate read. “This may include providing a security update through our monthly release process or providing an out-of-cycle security update, depending on our customer needs.”
The last time Microsoft issued a security advisory was in late October, just days after it released an emergency patch for Windows, when it told users that exploit code had made it to the Web. That bug was later exploited by several pieces of malware, including the “Conficker.a” worm , which some researchers said was being used to build a massive botnet.
In one case, it took Microsoft seven years to patch a critical flaw.
If Microsoft does patch the WordPad problem on its monthly schedule, the first opportunity for fixing the flaw would be Jan. 9, 2009.