Windows Vista users, count your blessings.  Though the operating system may be flawed, sluggish in some areas and have issues with installing the new service pack; it is not vulnerable to a new flaw exposed in the Microsoft Jet Database Engine which could allow remote code execution.

In a Security Advisory, Microsoft is “investigating new public reports of very limited, targeted attacks using a vulnerability in the Microsoft Jet Database Engine that can be exploited through Microsoft Word.”

“Customers using Microsoft Word 2000 Service Pack 3, Microsoft Word 2002 Service Pack 3, Microsoft Word 2003 Service Pack 2, Microsoft Word 2003 Service Pack 3, Microsoft Word 2007, and Microsoft Word 2007 Service Pack 1 on Microsoft Windows 2000, Windows XP, or Windows Server 2003 Service Pack 1 are vulnerable to these attacks.

Mitigating Factors:

• Windows Server 2003 Service Pack 2, Windows Vista, and Windows Vista Service Pack 1 are not vulnerable to this issue.
• An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less affected than users who operate with administrative user rights.
• In a Web-based attack scenario, an attacker would have to host a Web site that contains a specially crafted Word file that is used to attempt to exploit this vulnerability. In addition, compromised Web sites and Web sites that accept or host user-provided content could contain specially crafted content that could exploit this vulnerability. An attacker would have no way to force users to visit these Web sites. Instead, an attacker would have to persuade users to visit the Web site, typically by getting them to click a link in an e-mail message or Instant Messenger message that takes users to the attacker’s site.”

The company is investigating reports of the issue and the impact it may have on its customers.  Microsoft Word may not be the only application that is vulnerable so additional applications are being checked for the vulnerability as well.  With that said, the vulnerability requires that the user “take multiple steps in order to be successful.”  Therefore, Microsoft believes the risk is relatively limited.

It is advised that a “two-way” firewall be enabled on your computer with the addition of up-to-date anti-virus and anti-spyware software.

Related:

Negative Vista "reviews" in Apple ads not actually reviews

Apple fixes Quicktime flaw on Windows Vista, XP

Microsoft to patch Vista flaws this week

Office 2007 security plans make it crash

Patch Tuesday looking quiet this month

Entry was posted on Saturday, March 22nd, 2008 at 10:16 am under Microsoft, Security, Tips, Vista.  Print This Post

Read more entries by Jonathan Schlaffer.
Stumble It!