“Microsoft has warned of a serious – and as yet unpatched vulnerability – in Word. Hackers (albeit to a limited extent) are exploiting the zero-day flaw in its ubiquitous Office application, Redmond warns,” John Leyden reports for The Register.
Leyden reports, “The flaw – which stems from an unspecified memory corruption bug – doesn’t just affect Windows users. Microsoft Word 2000, Microsoft Word 2002, Microsoft Office Word 2003, Microsoft Word Viewer 2003, Microsoft Word 2004 for Mac, and Microsoft Word 2004 v. X for Mac, along with Microsoft Works 2004, 2005, and 2006 are all potentially vulnerable. Users tricked into opening maliciously constructed Word files are liable to find their systems compromised.”
More info and links here.
[Thanks to MacDailyNews Reader “Chas” for the heads up.]
MacDailyNews Note: Microsoft’s Security Advisory (929433 – almost time to add another digit there, M’Soft) states: “In order for this attack to be carried out, a user must first open a malicious Word file attached to an e-mail or otherwise provided to them by an attacker. As a best practice, users should always exercise extreme caution when opening unsolicited attachments from both known and unknown sources. Do not open or save Word files that you receive from untrusted sources or that you receive unexpectedly from trusted sources.
Related MacDailyNews article:
Mac users should not buy Microsoft software (or hardware) – May 16, 2003
I’m continually amazed at the number of websites (non-profits, govt, etc..) that have Word files rather than PDF files when you seek to download documents. I’m always wondering about the safety of these Word files.
I’m glad I’m not “dogfooding” that shit!
Microsoft could not remain satisfied at having created the most insecure and bug-ridden computer platform. They decided to go for the gold and attempt to pass their buggy software on to us Mac users also. Strive for perfection, I always say!
If you can never reach true perfection, ruin it for those that have…. ” width=”19″ height=”19″ alt=”smile” style=”border:0;” />
MDN word: science – Microsoft has mastered the science of screwing up.
Article notes:
“Users tricked into opening maliciously constructed Word files are liable to find their systems compromised.”
What sort of compromise? What happens to the Mac? How does it happen?
Specific, detailed info from article authors and Microsoft would be much more helpful than this simple “boogeyman under the bed” warning.
Niffy
Is this a drive to promote MS security software for Mac’s as well as PC’s ?
‘we know Mac’s are vunerable – because we did it !!’
The only malware I’ve seen in my life was a harmless-to-Mac Microsoft Word 97 macro in a Word document sent to me by someone using Windows 98 in 2003-4. ClamXav took care of that. The only data I’ve ever lost in a crash was when Internet Explorer crashed on OS 8.6? If not for Microsoft innovation, my computers would have had a pristine record.
MW: “years” as in nothing’s changed in Redmond.
“I’m continually amazed at the number of websites (non-profits, govt, etc..) that have Word files rather than PDF files when you seek to download documents.”
Me too. MS-Word .DOC is not an exchange format. PDF is an exchange format.
MS-Word is not a document exchange format.
Don’t send me word documents.
PDF specification.
I have a rule that I implement for my PowerBook:
DO NOT USE MICROSOFT SOFTWARE!
Simple. And it works. Why waste 400MB+ on a word processor, spreadsheet and crap presenter? If you have to have Word compatability, use NeoOffice.
MacDailyNews Note: …As a best practice, users should always exercise extreme caution when opening unsolicited attachments from both known and unknown sources. Do not open or save Word files that you receive from untrusted sources or that you receive unexpectedly from trusted sources.
Yeah, that’s wonderful in theory. Those of us that receive upwards of 100 emails a day, spam excluded, from customers or people looking to submit press releases have to deal with reality though.
I’m too extremely curious about what this thing actually does…
Seems strange that a “memory corruption bug” can hit 2 VERY different platforms and do exactly the same thing?..
Pardon the lingo noob here….what exactly is “dogfooding?”
Keep in mind that not all companies have the ability to put documents into PDF format. I deal with many telecommunications companies with my job and most don’t have the ability to send things in PDF format. The number one telecom company, for example, sends everything as a word document because they don’t have PDFing abilities within their computer systems. While PDF is mainstream it still doesn’t have the penetration that a word document does. I wish it wasn’t that way but that is simply how the business world works.
I have an idea. Next time someone emails you a Word doc file, send them this link:
http://secunia.com/advisories/23232/
and then tell them to never send you another Word doc again.
“DOGFOODING”
see explanation on article about MS XML on Mac
This is a word processor…Unless MS designed some hidden backdoor in Word that permits executables (apart from macros). They should be taken to task for this. This is a big deal. And their solution is what…TO STOP DOING BUSINESS????!!!!
So i assume it’s safe to open Word documents in other compatible word processors such as Text Edit, Neo Office, Open Office, Pages, etc.
I’m still waiting for companies to start imposing policies where they refuse to use Microsoft Office documents due to the high risk of infection, kind of like how retail stores refuse to accept $50 and $100 bills due to high risk of counterfeits.
For some reason, common sense never seems to surface when Microsoft is involved.
My girlfriend phoned me to say that both her Windows machines blue screened this morning. STOP 0x0000007B: Inaccessible Boot Device. The screen says to run your virus software yet there is no way to run the thing…not even in safe mode. She has all the latest virus stuff provided by a service. As a Mac user since 1993 I cannot fathom this. This is all so normal for a Windows user, just part of the computing experience. FARG!
MW: “nuclear” as in meltdown
Jim,
Unfortuneately the business world relies on M$ Office products. I have tried Neo but can not stand it. Buggy and very slow.
One thing to note here is that while Apple recently released several patches for potential vulnerabilities, this one is in response to actual attacks. To quote from MS own security advisory,
“Microsoft Security Advisory (929433)
Vulnerability in Microsoft Word Could Allow Remote Code Execution
Published: December 5, 2006
Top of section
Microsoft is investigating a new report of limited “zero-day” attacks using a vulnerability in Microsoft Word 2000, Microsoft Word 2002, Microsoft Office Word 2003, Microsoft Word Viewer 2003, Microsoft Word 2004 for Mac, and Microsoft Word 2004 v. X for Mac, as well as Microsoft Works 2004, 2005, and 2006.”
Big difference. Not to mention the fact that this one just requires that you look at a word doc.
@war
I contend that the telecommunications companies you work with are lazy and/or have a myopic view of IT. It would appear that their computing software infrastructure and expertise starts and stops at Microsoft.
The link I posted to the Adobe site clearly explains how PDF works for developers who are interested…
“The PDF specification was first published when Adobe® Acrobat® was introduced in 1993… …The PDF Reference provides a description of the Portable Document Format and is intended for application developers wishing to develop applications that create PDF files directly, as well as read or modify PDF document content.”
Apple makes extensive use of PDF as a display and print technology in OS X. I can go hog wild with PDF on my Linux machines.
Interoperability is a very long word. Can you spell IT?
STILL NO ONE HERE HAS RESPONDED TO THE QUESTION : WHAT HAPPENS TO THE MAC WITH THIS OFFICE ISSUE?
Inform please!!! Even the linked article was useless.
I’m assuming the answer is “nothing” but I’d like confirmation.
Maybe you guys should start looking at the fires in your own houses, too. Where’s the mention of the numerous patches for apps running on OSX because of vulnerabilities found? What’s that? I can’t hear you. Thought so. Now shut the hell up.
Niff and MacRaven are right.
Exactly what happens on a Mac if a Word file that uses this exploit is opened? Does the Mac crash? How is the Mac compromised? I find it hard to believe that a Word exploit that would open up hacker access in Windows would do the same thing on a Mac.
These are important questions, and we need to get the answers asap.