Login

Please login to Techworld.com

Forgot password?
Need your new account confirmation email resent?
Forgot email?

Not a member yet?

Register for a Techworld Account and enjoy unlimited access to our extensive white paper library and exclusive Enterprise multi-user software trials. Account members can also comment on articles and access best practices guides.

Security

Top How-Tos / Advice articles

New Office flaw embarrasses Microsoft

Highly critical hole appears a day after the monthly patch day.

By Scarlet Pruitt, IDG News Service | Published: 15:46, 13 April 2005

A day after monthly patch day, Microsoft has confirmed it is investigating an unpatched security hole in Office that could allow system access.

The vulnerability has been labelled "highly critical" by security firm Secunia. It exists in Microsoft's Jet Database Engine, and can be exploited to execute arbitrary code by tricking users into opening a specially designed ".mdb" file in Microsoft Access, according to Secunia. Exploit code for the vulnerability has already been posted to a public mailing list, the security company has warned.

Microsoft criticised disclosure of the vulnerability, saying that the commonly accepted practice is to report a threat to the vendor first so a patch can be developed if necessary before the exploit code gets distributed.

Secunia said the flaw was first reported by security firm HexView. HexView said it notified Microsoft of the vulnerability on 30 March but received no response. In fact, HexView received an automated response but did not consider that sufficient to attach its 30-day disclosure policy.

For more information see HexView's advisory here.

Send to a friend

PLEASE NOTE: Your name is used only to let the recipient know who sent the story, and in case of transmission error. Both your name and the recipient's name and address will not be used for any other purpose.