Zero-day threat persists for Microsoft Word

Attackers are currently exploiting a flaw present in most versions of Microsoft Word, but don't look for Microsoft to address the vulnerability in this month's Patch Tuesday. John McCormick has the details on this threat as well as advice for how you can protect systems in the meantime in this edition of the IT Locksmith.

Will Microsoft patch the zero-day Word exploit for this month's Patch Tuesday? Don't count on it. While it doesn't look like a fix will be part of the monthly updates, don't wait to protect your systems.


A zero-day flaw surfaced in Microsoft Word last week that's currently under attack. In response, Microsoft released Security Advisory 929433, detailing the new remote code execution threat that affects most versions: Word 2000, Word 2002, Word 2003, Word Viewer 2003, Word 2004 for Mac, Word 2004 v. X for Mac, Microsoft Works 2004, Microsoft Works 2005, and Microsoft Works 2006. Secunia has released its own advisory for the threat—SA23232 (CVE-2006-5994).

TechRepublic blog entries from Bill Detwiler and George Ou are buzzing about the latest Word file problems. Although things may change, it doesn't look like Microsoft will be addressing these critical threats in this week's Patch Tuesday.

In the meantime, Microsoft's only advice is to avoid opening Word documents from untrusted sources. My advice is to change your organization's default file format from .doc to .rtf. While not enough details are available about the current threat to be certain that this change will block attacks, this approach has been effective in protecting against earlier Word file attacks.

Although it may not work against this memory corruption exploit, the .rtf format doesn't store the dangerous macros often embedded in .doc files even though it retains many of the popular and most used features. In fact, I typically insist on the .rtf format from any strangers.

Final word

Just say NO to .doc files. Give some real consideration to whether the marginal advantages of using the .doc file format is really worth the risk of exposing your organization to new Word malware every few months.

At the minimum, require all files sent from outside the local network to be in .rtf format. And when there's an active, unpatched threat such as the current one, I wouldn't hesitate to require .txt file attachments from strangers. If a complete stranger can't figure out how to do that, I probably don't need to read what he or she has to say anyway.

Also watch for…

  • Spam isn't just a problem in North America. Across the pond, the flood of unwanted and often illegal offers is so bad that the European Commission has called for governments and business to implement new anti-spam measures and to prosecute those responsible for criminal activities linked to online activities.
  • A new TechNet blog is reporting that proof-of-concept code is circulating for a new vulnerability in Windows Media ASX files, which run in Windows Media Player.
  • A new Apple QuickTime flaw is letting hackers alter MySpace profiles to add links to phishing sites. (Sure, you might not use MySpace, but your kids probably do—and on the same home system that includes business files.)
  • Check out the new Secunia Software Inspector, which checks operating systems and common applications—including browsers, browser plug-ins, IM clients, and media players—to report whether you have the latest version and all the patches installed. There's also an option to look for apps in non-standard locations.
    This is a free service that runs online using a Java applet. The basic security settings in my Firefox browser blocked it, but it ran in an older Internet Explorer version. It might be worth considering adjusting one browser version to use this new service.

Miss a column?

Check out the IT Locksmith Archive, and catch up on the most recent editions of John McCormick's column.

Want to stay on top of the latest security updates? Automatically sign up for our free IT Locksmith newsletter, delivered each Tuesday!

John McCormick is a security consultant and well-known author in the field of IT, with more than 17,000 published articles. He has written the IT Locksmith column for TechRepublic for more than four years.

Editor's Picks