Microsoft has announced this week a security hole in MS Word – well, actually it’s in the Jet Database engine, but that creates a vulnerability in MS Word, which attackers can exploit to gain remote access and control of your computer. Nearly all versions of Windows, including XP, 2000 (2K) and many Windows Server editions, are vulnerable. In fact the only versions of Windows not vulnerable to this attack are Vista, and Windows Server 2003 SP2.
As Microsoft works further to reduce the vulnerability of their operating system to attack, so have the fraudsters, fishers and fly-by-nights changed their attempts to access your data or gain control of your machine. Over the past few years, attackers have moved their focus to Office applications, piggybacking Trojans and other malevolent payloads in files that all too many Pointy-Headed Bosses click on without thinking of the potentially disastrous consequences. Between 2002 and 2006, fewer than 10 high-severity issues were reported in the Office suite of applications annually. But last year alone some 26 were reported, some of which were used to target corporations, political organizations, government agencies and parts of the US military.
Microsoft issued a Security Advisory late last week ([Page no longer available – we have linked to the archive.org version instead], entitled [Page no longer available – we have linked to the archive.org version instead]), warning of reported attempts to use a vulnerability in the Microsoft Jet Database Engine, exploited through Microsoft Word. If this attack is successful on your machine, the attacker can gain the same user rights as the local user (i.e. you); yet one more reason to use administrator privileges only to actually administer your machine, and to use normal user privileges when you’re being a normal user.
The good news: if you’re on Vista (with or without SP1) or Windows Server 2003 SP2, you are invulnerable to this particular attack.
The bad news: all other operating systems (2000, XP, or Windows Server 2003 SP1) are not.
What can you do to minimize the risk of becoming a victim of this type of attack? If you receive an email with a Word file and a Jet database file (which may or may not have the default extension .mdb), both perhaps archived in a ZIP file, consider the email unsafe and do not click on the attachments. Microsoft email programs won’t directly open the database, because Microsoft considers them insecure, but the email program will save files to a directory, and if you then take the explicit action to open the Word document, the database file will be indirectly opened too, and … you’re now compromised.
And, of course, as we always preach, generally don’t open any attachments, at least until you confirm that the person who purportedly sent them – who had better be someone that you know – actually sent them.
Don’t fall prey to this kind of attack. This particular exploit happens to use Word as the indirect method of opening the database payload, but it could equally well have been Powerpoint or Excel. To quote Microsoft: “users should always exercise extreme caution when opening unsolicited attachments from both known and unknown sources.” Andy Grove was much more succinct: “only the paranoid survive. ”
Wherever your particular comfort level may be, remain constantly vigilant for attempts to trick you into doing something you’ll later regret. Follow good email practice, and be safe.