Word 2003 and Earlier Still Vulnerable to E-mail Attacks

The effectiveness of a patch issued last September for a Microsoft Word vulnerability, where .DOC files opened in Word 2003 and earlier versions via Internet Explorer or Outlook could enable remote code execution, is being called into question today.

The US-CERT team from the Dept. of Homeland Security has notified users this morning that another version of the so-called "malformed string vulnerability" is actively being exploited in the wild. Microsoft's response this morning, which does not include links to the latest patch for a similarly named vulnerability, is an indication that the solution at hand may not be enough.

Even if the specific mechanism involved in this new exploit, reportedly discovered by McAfee Avert Labs, is different than the one for which Microsoft issued a patch last month, the theory behind it is basically the same: If someone receives an e-mail in Outlook to which a Word 2003 or earlier document is attached, or if an attempt is made to distribute a .DOC file as a Web page URL instead of as a downloadable file, that file can take advantage of a vulnerability made feasible through the Web browser (Internet Explorer was not named specifically).

It may be a newly discovered hole, but it leads to a familiar place: A malformed string inside the .DOC file, as it is received through the Web browser, could enable remote code execution under certain circumstances.

If there is any lesson for users to learn from the persistence of this class of vulnerability, a clue to it may lie in how it exploits their access rights. In its security advisory from last October, Microsoft explained the circumstances as it saw them thus:

"If a user were logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less affected than users who operate with administrative user rights."

The indication here is that the exploit could only work when the active account was already protected by security limitations - when you're not logged on as "Administrator." This morning's advisory reiterates, but more briefly: "An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less affected than users who operate with administrative user rights."

The vulnerability affects versions from Word 2000 to Word 2003, as well as Microsoft Works packages that include Word as part of the bundle. It does not involve Word 2007 in the newest Office suite, whose document rendering model is based on the new Office Open XML format by default.

Conceivably, Windows Vista users may be further protected from these and similar vulnerabilities, if they use older versions of Office, by virtue of its new User Account Control feature. This enables general users to run with limited privileges that can be triggered to be momentarily upgraded, through the user's direct intervention, by means of a password. No external program would be able to wrest those same administrator privileges, especially because Windows can be set to lock itself down -- including shutting off Internet access -- during those periods where it seeks that password.