Tuesday, July 8, 2008, Redmond, WA — Microsoft released a Security Advisory regarding a “possible vulnerability” in Microsoft Word 2002 SP3 (also known as Word XP, but do not confuse it with Windows XP).
What’s Known About This Attack?
Symantec (Norton) and Microsoft are working together on this one. Symantec is developing an update to detect the document, and Microsoft is working to fix the flawed programming in Word 2002 SP3. Small numbers of people have been tricked into accessing this document delivered by email or by luring them to a hacked web site.
But Aren’t You Curious …
… to know if you have the affected version of Microsoft Word 2002 SP3? By “affected” I mean: If you were to receive and open one of these documents, would you have to worry? Here’s how to find out. (Don’t worry, knowing you have Word 2002 SP3 doesn’t do any harm).
To check if you have Word 2002 SP3, do the following:
- Start “Microsoft Word”.
- Click “Help” (top right), then “About Microsoft Word” (bottom of menu). A dialog box will appear.
- Near the top: If it reads “Word 2002” and further along it says “SP3”, then your version of Word is affected. You must see both phrases; if you see 1 out of 2, don’t worry, you’re not a candidate.
What Happens As A Result Of This Flaw?
If, and only if, you have Word 2002 SP3, and if you receive and open one of these mysterious Word 2002 documents from an unknown source … Microsoft Word exits. Strange, you might say to yourself. And then you reopen the document, and life goes on.
I was unable to find any further information from Symantec or Microsoft on what happens next.
Some reports I found on other web sites say that at the time that Word exits a Trojan (remember the Trojan horse?) program has been activated that records keystrokes. Presumably watching out for passwords, and sending them to the hacker’s remote location.
Another report claims the hackers are able to control your PC remotely. They can search and open files, erase files, and even shut down the computer, but neither Microsoft or Symantec confirm either this or the former scenario. (I suspect many blog reporters found an old report regarding a similar attack that occured back in 2006. At that time, hackers gained remote control over PCs using a similar attack form.)
What To Do?
Microsoft recommends that you “do not open or save Microsoft (Word documents) that you receive from untrusted or unexpected sources.”
Let Me Assure You
Receiving a document by email will not affect you. Opening an email with the document attached will not affect you. Opening your own files will not affect you. Saving your work or working with Word will not affect you.
And, please, if you get an email warning you of “this virus,” please don’t forward the message.
I suspect that Norton, McAfee and the other anti-virus manufacturers will have found a way to detect and block this before Saturday morning (July 12).
Microsoft will, I suspect, issue a patch within the next 5 to 12 days, to be issued and installed automatically via the Microsoft Update and Office Update web sites, but like I said, I think the antivirus folks will find a way first. (While I write this, BitDefender antivirus has reported they have an update to detect and block it.)
I’ll also keep you up-to-date on this matter on these pages. Email me at news @ skylarknetworks.com if you have questions or concerns. If you include your phone number and best times to call, I will call you directly. You can also subscribe to Skylarking by once daily email to receive a copy in your Inbox. Or join the Skylark NetWorks Newsletter mailing list and specify interest in “Microsoft Office” products.
Most important: Don’t Panic. Stay tuned.
Update: No new news on this item as of Monday, July 14.
Update: Patched on August 12, 2008