Both Symantec and security researchers have claimed
hackers are exploiting an unpatched vulnerability in Microsoft Word
that could allow them to take control of a victim's
computer.
The zero-day vulnerability is the latest in a string affecting
Microsoft's Word 2000 software that has yet to be patched, and is
said to affect most versions of Windows running Word.
Danish security firm Secunia also reported the vulnerability, and
rated it as "extremely critical”.
The attack comes via an infected Word document, which, if
opened, installs a Trojan called Trojan.Mdropper.W, onto the
computer. The Trojan also puts other files on a computer that
enable a hacker to control it.
Microsoft recently released three sets of critical patches – for
Outlook, PowerPoint and Windows – but not for Word.
The best way of avoiding the Trojan is to delete e-mails
containing unexpected Word documents. However, Word documents are
ubiquitous, and there is always an unsuspecting victim
somewhere.
Meanwhile Microsoft is expected to use this week’s RSA
conference to announce a new web technology to combat phishing. It
plans to announce that a number of websites have gone through a new
certification process designed to make it harder for phishers to
spoof them.
The process reportedly gives third-party certification
authorities like VeriSign and Entrust a more stringent set of
guidelines to follow when they are authenticating websites.
Another new technology to combat phishing? I think we’ve heard
that before. It didn’t stop phishing before, and I doubt it will
this time either.
Read
David Lacey’s
security blog
Read
Stuart King’s
risk management blog
Comment on this article:
computer.weekly@rbi.co.uk