ID: IRCNE2013112006
Date: 2013-11-06
According to "computerworld", Microsoft today said that attackers are exploiting a critical and unpatched vulnerability in Office 2007 using malformed documents to hijack Windows PCs and said Office 2003 and Office 2010 are also vulnerable.
The bug can be triggered by a malformed image file viewed on a website or in an email message if one of those versions of Office is installed on the system.
"We are aware of targeted attacks, largely in the Middle East and South Asia," Dustin Childs, a communications manager with the Microsoft Security Response Center (MSRC) said in a Tuesday blog entry.
It was initially unclear exactly which versions of Windows are at risk, and thus the extent of the problem for Microsoft's customers.
While Microsoft listed only Windows Vista and Windows Server 2008 as vulnerable in its initial advisory, the McAfee security researcher who reported the flaw to Microsoft last Thursday said that both Windows XP and Windows 7 could also be exploited through malicious Office files.
"While we spotted the attack performed via Office 2007 running on Windows XP, this is actually a fault existing in a TIFF-processing component shipped with Microsoft Office," wrote Haifei Li on McAfee's website. "Therefore, not only is Office 2007 with Windows XP vulnerable to this attack, but also more environments are affected, [including] Office 2007 running on Windows 7."
According to details spelled out by MSRC engineer Elia Florio, anyone running Office 2003 or 2007, no matter what operating system powers the PC, is affected, while only those running Office 2010 on Windows XP or Server 2003 are at risk.
Office 2013, Microsoft's newest, does not contain the vulnerability, said Florio.
- 2