Wednesday, December 06, 2006

Microsoft Word and Zero-Day

There is another zero-day vulnerability in Microsoft Word. This means that the attacks are out there and there is no fix available.

Microsoft says the "Vulnerability in Microsoft Word Could Allow Remote Code Execution". In other words, slime-bags can write and run malevolent software on your computer. (Nothing new for Windows users.)

Microsoft's suggestion is that users "not open or save Word files," even from trusted sources. Not really an acceptable recommendation, is it. And comments from Microsoft such as "users should always exercise extreme caution when opening unsolicited attachments from both known and unknown sources" are not much help either. As a software professional, I'm not sure how to exercise extreme caution opening an attachment in Windows when there is no fix for the vulnerability available. Perhaps you close your eyes and cover your important bits with one hand while clicking the mouse with the other. Do any non-technical users out there have any ideas?

I exercise sensible caution by running Linux on my desktops - at work, at home, and on the kids' machine. (The kids' must see computers at school and wonder what all that windozy zero-day stuff is.)

UPDATE: 8/12/2006

Still no patch for Word scheduled.
Now another zero-day exploit, this time in Windows Media Player. Ouch!

2 comments:

Peter said...

Here's an interesting one for you...

http://www.eweek.com/article2/0,1895,1992128,00.asp

Viruses and Trojans used for espionage!!!

Anonymous said...

Yeah, Peter, that's an interesting article.

It implies that corporate directors are hiring hackers to write this malicious code. (Or entrepreneuring hackers are approaching business with their ideas or their data spoils.)

Like many problems in society, there are two fronts to fight. There is the technical security response (for which I say dump Windows) and there are the business/legal/civil/social issues behind hacking. If this second category is not addressed it becomes a technical arms race between attacker and attacked.

It's like you've gotta lock your front door, but also try to reduce the conditions that promote crime. Trouble is, Microsoft Windows has a pretty flimsy front door.