No fix yet for Word 2000 flaw
Microsoft releases patches for three security holes, but does not have a fix for a Word 2000 flaw being used in attacks.
As part of its monthly patch cycle, Microsoft released updates for Office and Windows users to repair a trio of security flaws, a tally that is notably fewer than in previous months. The software maker deems the Office problem "critical"--its most serious rating. The Windows problems have a lower severity rating.
"What's not there is more news than what is there, from what we can see," said Amol Sarwate, research manager at vulnerability management company Qualys."The first thing we noticed is a lack of a patch for the Microsoft Word vulnerability at large; they did not have enough time to produce a patch."
Microsoft last week warned that miscreants are using a previously unknown flaw in Word 2000 in cyberattacks. These attacks come by way of rigged Word documents attached to an e-mail or otherwise provided to the targeted person. Microsoft has said that it is working on a patch, but in a security advisory posted Sept. 6, it did not give an expected release date.
The yet-to-be addressed Word 2000 flaw is similar to the Office flaw that Microsoft did tackle on Tuesday. This vulnerability affects Microsoft Publisher in Office 2000, Office XP and Office 2003. An attacker could exploit it by crafting a malicious Publisher file and tricking someone into opening it, perhaps by hosting it on a Web site or sending it by e-mail, Microsoft said in security bulletin MS06-054.
"An attacker who successfully exploited this vulnerability could take complete control of an affected system," Microsoft said. "We recommend that customers apply the update immediately."
Publisher is Microsoft's desktop publishing application. The software maker recommends all Office users install the patch, regardless of whether Publisher is installed, because other Office applications use some of the same compromised files.
Of the two Windows vulnerabilities addressed by Tuesday's fixes, one could allow an attacker to remotely take control of a PC and the other could lead to information disclosure, Microsoft said.
A flaw in a protocol for data exchange in Windows XP could let an intruder hijack a vulnerable system by sending it a special data packet, according to Microsoft security bulletin MS06-052. However, the Pragmatic General Multicast, or PGM, protocol is part of Microsoft Message Queuing technology version 3.0, which is not enabled by default, Microsoft said.
The information disclosure vulnerability exists because of a cross-site scripting flaw in a part of Microsoft's Indexing Service, Microsoft said in security bulletin MS06-053. An attacker could exploit the flaw to run script code on a vulnerable PC. The script could spoof content, disclose information or take any action that the user could take on a specific Web site, Microsoft said.
The patches are available online and will be pushed out via Microsoft's Automatic Updates service. As for the unpatched Word flaw, Qualys recommends Windows users install multiple layers of security software and use caution when opening e-mail attachments.