Software giant Microsoft warned on Friday that some customers have reported detecting attacks using Microsoft Word and a previously unknown vulnerability in Microsoft's Jet database engine.
The attack uses an e-mail message with two attachments -- a Word file and a Microsoft Jet database file -- although Microsoft is investigating whether other programs could also be used, the company said in a security advisory published on Friday. While the software giant has stated that Microsoft database files (.mdb) should be considered unsafe, and do not execute automatically, under the attack conditions described in the latest attacks the database files does execute, security firm McAfee stated in its research blog.
"Up until recently attackers typically exploited MS Jet DB vulnerabilities through MDB files, and therefore Microsoft stuck to their 'MDB files are unsafe' story -- well, thats changed," Craig Schmugar, senior antivirus researcher at security firm McAfee, wrote in the post.
Flaws in Microsoft's Office productivity applications have become standard weapons for fraudsters conducting targeted attacks aimed at high-level managers and executives. While ten or fewer high-severity flaws were reported in the five major component applications of Microsoft Office each year from 2002 to 2006, at least 26 high-severity flaws were reported in Office applications last year, according to data from the National Vulnerability Database. Earlier this month, Microsoft patched a dozens flaws in Office applications.
Microsoft is currently working on producing a patch for the flaw. The company recommended that companies either restrict Microsoft Jet Database from running or block .mdb files from being sent as attachments.
The vulnerability does not affect computers running Windows Server 2003 Service Pack 2, Windows Vista, and Windows Vista Service Pack 1, the company stated.
If you have tips or insights on this topic, please contact SecurityFocus.
Posted by: Robert Lemos