Security Hole in Microsoft Word Threatens Millions

The vulnerability affects Word 2000, 2002, 2003, Word Viewer 2003, Word 2004 for Mac , and Word 2004 version X for Mac. The free applications of Microsoft Works -- versions 2004, 2005 and 2006 -- are also vulnerable.

How Big?

As Microsoft is releasing little data, the scope of the problem is unclear. As few as 300,000 users out of a potential universe of millions have sufficient firewall and antivirus defenses in place to protect against incursions, estimates Ryan Sherstobitoff, product technology officer for Panda Software.

Even though the flaw is widespread in terms of the number of products affected, the impact is not likely to be on the scale of a Blaster or Slammer worm, Randy Abrams, director of technical education at ESET, told TechNewsWorld. In those cases, code was executed without user interaction.

"This is really more of an incident that should be used to remind people to be cautious in handling attachments, rather than a high -profile threat," he said.

Standard Precautions

Until a patch is released, Microsoft and security experts are cautioning users not to open unexpected documents, especially those from unknown sources.

"Users, home and corporate, need to understand that even if an e-mail appears to come from someone they know, it may not have actually been sent by that person," Abrams warned. "Attachments that are not asked for or expected should not be opened prior to confirming with the sender that they actually did send the attachment and why."

The primary consumer attack vectors will likely be documents sent to people that claim to contain user names and passwords for porn sites; lists of activation codes for desirable software; information about a consumer's bank, stock or other financial account; pictures of celebrities; or jokes, Abrams said.

"History has taught us that these are highly successful social engineering tactics," he observed. "The fact that Word documents are very commonly exchanged make this vulnerability of concern.However, other means of tricking users into installing malicious software are effective enough that malware writers may not see a need to expend energy on an attack that is likely to gain only marginal returns."

More Mac users than usual might fall victim, since this user group is unaccustomed to malware and may not be as vigilant, Sherstobitoff told TechNewsWorld, noting that it is generally unusual for Mac software to be affected.

"It is more difficult to run arbitrary code on the Mac's underlying kernel than it is with a Windows OS," he pointed out.

Corporations at Risk

Even though corporations are better prepared than individual users for online malware, their systems may be at greater risk for attack, said Abrams.

"For financially motivated attackers, it is not important to be able to exploit a million machines. Simply compromising one machine on a network can be enough to gain access to proprietary corporate information. It is likely that this will be a small, but costly, attack vector," he predicted.