- SAN FRANCISCO (Reuters) -
Microsoft Corp. on Friday said it was investigating a security flaw in
its word processing software that could allow an attacker to steal sensitive
computer files by using an innocent-looking Word document.
-
- "Microsoft is still in the initial stages of testing
the flaw and will determine the best fix possible based on these findings,"
the company said in a statement.
-
- Based on the flaws uncovered by security experts, an
attacker could send a Word document to an intended victim, asking that
they modify and return it, according to Woody Leonhard, publisher of the
Web site www.woodyswatch.com, which looks at the Microsoft Office suite
of productivity software.
-
- Meanwhile, a secret code in the document could be used
to grab files on the victim's computer that would then be transferred back
to the attacker along with the original document, he wrote in a report.
-
- The first of the flaws, affecting Word 97, was reported
last week on the Bugtraq e-mail list by Alex Gantman, Leonhard said. Later,
Leonhard said, he discovered a different combination of "spy"
fields that can be used in Word 2000 and Word 2002.
-
- Microsoft said that, while the flaws affect all versions
of its Word program, several factors mitigate the security risk they pose.
-
- For example, a hacker would have to know exactly the
name and location of the target file and the victim would have to modify,
save and then return the document to the attacker, the company said.
-
- But Bruce Schneier, chief technology officer of Counterpane
Internet Security, a network monitoring company, said the flaws are serious
since hackers could rely on a feature of Word itself instead of malicious
software to steal data.
-
- "It's a horrible vulnerability," he said. "It's
a feature. It's not something an anti-virus product will notice. You can't
turn it off."
-
- While users of Word 2000 and 2002 will be able to get
a fix or patch via download from the Web site, users of Office 97 will
need to call a support phone number, a Microsoft spokesman said.
-
- "A solution will be determined for all versions
of the product -- including Office 97," the Microsoft statement said.
-
- Word 97 users can view any hidden codes in documents.
Microsoft gives instructions on how to do that on a technical support Web
site at http://support.microsoft.com/default.aspx?scid=kb;en-us;Q223790.
-
-
- Copyright © 2002 Reuters Limited. All rights reserved.
Republication or redissemination of the contents of this screen are expressly
prohibited without the written consent of Reuters Limited
|