SAN FRANCISCO (Reuters) - Microsoft Corp.MSFT.O on Friday said it was investigating a security flaw in its word processing software that could allow an attacker to steal sensitive computer files by using an innocent-looking Word document.
"Microsoft is still in the initial stages of testing the flaw and will determine the best fix possible based on these findings," the company said in a statement.
Based on the flaws uncovered by security experts, an attacker could send a Word document to an intended victim, asking that they modify and return it, according to Woody Leonhard, publisher of the Web site www.woodyswatch.com, which looks at the Microsoft Office suite of productivity software.
Meanwhile, a secret code in the document could be used to grab files on the victim's computer that would then be transferred back to the attacker along with the original document, he wrote in a report.
The first of the flaws, affecting Word 97, was reported last week on the Bugtraq e-mail list by Alex Gantman, Leonhard said. Later, Leonhard said, he discovered a different combination of "spy" fields that can be used in Word 2000 and Word 2002.
Microsoft said that, while the flaws affect all versions of its Word program, several factors mitigate the security risk they pose.
For example, a hacker would have to know exactly the name and location of the target file and the victim would have to modify, save and then return the document to the attacker, the company said.
But Bruce Schneier, chief technology officer of Counterpane Internet Security, a network monitoring company, said the flaws are serious since hackers could rely on a feature of Word itself instead of malicious software to steal data.
"It's a horrible vulnerability," he said. "It's a feature. It's not something an anti-virus product will notice. You can't turn it off."
While users of Word 2000 and 2002 will be able to get a fix or patch via download from the Web site, users of Office 97 will need to call a support phone number, a Microsoft spokesman said.
"A solution will be determined for all versions of the product -- including Office 97," the Microsoft statement said.
Word 97 users can view any hidden codes in documents. Microsoft gives instructions on how to do that on a technical support Web site at http://support.microsoft.com/default.aspx?scid=kb;en-us;Q223790 .
|