Microsoft announced date for patch release of critical Word vulnerability

Microsoft has disclosed that the fix for the Word virus circulating won't be available until June 13, 2006. HLP recommends that you apply the fix immediately when it's available. The issue is that a maclious attacker could create a Word document (or Excel spreadsheet) and send it through E-mail (or be sent by a user you trust from a virus on their PC) that contains an executable virus. Typically you cannot get viruses from documents. However in this case, a program could be embedded in the Word document and allow your PC to be open for further attacks, allow a hacker to take full control of your PC, etc.

HLP recommends you do not open any documents from those that you don't know and trust and that you aren't expecting. The only work around is to run Word in "safe mode" and not open documents directly from Outlook or other E-mail program. The full details of the vulnerability as well as the work arounds can be found at: http://www.microsoft.com/technet/security/advisory/919637.mspx. As always, HLP would be happy to assist you with this or any other questions you may have.

Microsoft Security Advisory

Vulnerability in Word Could Allow Remote Code Execution
Published: May 22, 2006

Microsoft is investigating new public reports of limited “zero-day” attacks using a vulnerability in Microsoft Word XP and Microsoft Word 2003. In order for this attack to be carried out, a user must first open a malicious Word document attached to an e-mail or otherwise provided to them by an attacker. Microsoft will continue to investigate the public reports to help provide additional guidance for customers as necessary.

Microsoft is completing development of a security update for Microsoft Word that addresses this vulnerability. The security update is now being finalized through testing to ensure quality and application compatibility.

Derek Rowan
President
HLP Associates, Inc.
www.hlp.net