by Cliff SaranMicrosoft has warned all users of MS-Word to update the software with a patch to protect a major hole in security.The software giant has posted a notice on its security Web site stating that it is possible to modify a Word document in a way that prevents the security scanner from recognising an embedded macro but still allows the macro to execute.
The flaw affects the latest Office XP product, Word 2000 and Word 97 for Windows and Word 98 and 2002 for the Macintosh.
The potential damage that could be caused by the security flaw is immense. In Microsoft's own words an attacker could cause a macro to run automatically when a Word document was opened. Such a macro "would be able to take any action that the user could take". For instance, Microsoft warned that an attacker could "change data, communicate with
Web sites, reformat the hard drive or change the Word security settings".
Large organisations will run many different versions of Word and, in a worst-case scenario, the IT department might have to apply different software patches across the entire company.
Tony Lock, senior analyst at Bloor Research and a former IT director at a petrochemical company, said, "Without automatic software distribution, there is a very large cost impact. It can be a proverbial nightmare."
As a former IT director, Lock said that the way to reduce the disruption and cost of applying such a patch across an entire company is by running a common operating environment. In his experience, companies that take this approach to IT management, "lay down a three-year standard desktop operating environment, right down to which patches get applied".
Even with a completely uniform operating system environment, there is still the issue of distributing the patch, and ensuring it will work for each end user," said Lock. In an ideal world, the IT manager would know exactly what each user is running he added, "but very few organisations have asset management running".