The hits keep coming for Microsoft Word. About two weeks after the first Patch Tuesday of the year, a fourth Word vulnerability has emerged. In addition, three new Cisco IOS flaws have surfaced, and Chicago voters are at risk for more than choosing the wrong candidate.

Details

Last week, Microsoft released Security Advisory 932114 warning users about a newly discovered parsing error in Word documents. The flaw can lead to the execution of arbitrary code on vulnerable systems.

According to the Microsoft advisory, this vulnerability only affects Word 2000. However, according to reports from Symantec, the flaw could also cause Word 2003 and Word XP to crash.

Attackers are actively exploiting this vulnerability. This is a zero-day threat, which means attackers began exploiting the vulnerability on the same day the flaw surfaced.

Users can't trigger this threat automatically—a user must open an attached Word document to be vulnerable. No patch is currently available, but refraining from opening or saving Word files from untrusted sources can go a long way toward protecting systems.

Read up on Vista security enhancements

On the eve of Windows Vista's mainstream debut, security firm Kaspersky Lab published a white paper that addresses the security strengths and vulnerabilities of the long-awaited new OS. "Vista vs. Viruses" offers a sound initial analysis of the various security features in Internet Explorer 7 and Vista, and anyone planning to make the move to Vista should consider this mandatory reading.

After reading this report, the major conclusion I found is that 64-bit versions of Vista may provide significant protection against rootkit attacks. However, this "PatchGuard" feature only defends the kernel of 64-bit versions. Of course, only time will tell whether this security innovation actually provides significant protection, but it looks promising. In addition, the User Account Control feature, found in both 32-bit and 64-bit versions, provides some protection against malware attacks requiring administrator-level privileges.

Protect against new Cisco threats

US-CERT has published an alert warning about multiple vulnerabilities in the Cisco Internetwork Operating System (IOS). Some of these flaws can lead to the complete compromise of affected systems. The threats can also trigger a reboot that causes a denial-of-service event.

Cisco has also released security advisories about the three threats, providing updates and workarounds. The three vulnerabilities stem from a failure to correctly process TCP packets (memory leak), a failure to properly process some malicious IPv4 packets, and a problem with IPv6 routing header processing.

Chicago voters at risk for identity theft

In the old political machine days, Chicago was famous for the size of the graveyard vote. But now the Windy City is rapidly becoming famous for security breaches, the latest of which caused candidates to receive voter lists complete with millions of social security numbers.

According to a report on the Web site of the Chicago Sun-Times, the breach involves the distribution of 100 CDs containing 1.3 million voters' personal information. The security problem at the Chicago Board of Elections was a hard-copy problem, and the CDs may be recoverable. Of course, it will be impossible to determine whether anyone made a backup copy before returning the CD.

In addition to SSNs, the CDs also included birth dates and home addresses. That's everything needed to steal your identity except your mother's maiden name, which is already public record.

This latest snafu comes on the heels of an October 2006 security lapse, which resulted in the availability of voters' SSNs on the Board of Elections' Web site.

Final word

Hmm… "Vote for me, or I'll destroy your credit"? Surely no politician would be crooked enough to even hint at such a thing!

Also watch for…

According to Secunia's blog, when Apple fixed a recent QuickTime vulnerability, it neglected to provide a non-vulnerable version for Windows users. After the tedious upgrade process, Windows users still apparently end up with a bad version of QuickTime.

The problem apparently surfaced due to reports from Secunia's free new Software Inspector utility. While I couldn't confirm this through my own testing, it's probably a good idea to wait a few days before updating (or using) QuickTime on a Windows system.

Miss a column?

Check out the IT Locksmith Archive, and catch up on the most recent editions of John McCormick's column.

Want to stay on top of the latest security updates? Automatically sign up for our free IT Locksmith newsletter, delivered each Tuesday!

John McCormick is a security consultant and well-known author in the field of IT, with more than 17,000 published articles. He has written the IT Locksmith column for TechRepublic for more than four years.