Microsoft reveals string of software bugs
(New Scientist) A string of software bugs in Microsoft products were announced on Wednesday, prompting some experts to warn that they may be used to create new worms, viruses and hacking tools. The most common software affected by the faults are Microsoft Office programs.
Gunter Ollman, a consultant with the US computer security firm Internet Security Systems, says all of the vulnerabilities may attract unwanted attention from computer hackers and virus writers.
“If you want to make a worm successful, or if you want to compromise a host, the easiest way is to focus on Microsoft Office vulnerabilities,” he told New Scientist. “They are much less likely to be patched purely because people don’t understand fully how the patching and update process works.”
A Microsoft spokeswoman told New Scientist the risk was lessened by the fact that exploiting any of the vulnerabilities would require a victim to open a document or carry out some other active task. She added: “We don’t know of any worms being created.”
Custom code
The most serious of the software bugs concerns Visual Basic for Applications (VBA), a software development system that makes it possible to customise VBA-enabled Microsoft applications. This includes Office software and many less well known business programs.
The glitch affects applications that support VBA and could be used to steal data or run unauthorised code on a target PC, Microsoft warns. Opening a specially crafted document could create a “buffer overflow” error within vulnerable applications, providing access to parts of the computer’s memory that should be protected.
Another bug, discovered in recent versions of Microsoft Word, makes it possible to run an unauthorised macro on a victim’s computer. Macros are small programs built into Word that can be used, for example, to automatically edit a document or forward it in an email.
The remaining bugs are rated less serious by Microsoft either because they concern more obscure programs or because they are more difficult to exploit.
Extra cautious
Microsoft Office product manager Simon Marks warned users to be wary of documents of unknown origin in general. “If you receive an attachment from someone you don’t know or something you’re not expecting, you should be very cautious,” he told News.com.
The number of software bugs routinely found in Microsoft programs has led some to accuse the company of releasing immature code. Microsoft has worked to improve its code by sending programmers on training courses designed to prevent bugs appearing.
User can download security patches for Office software at http://office.microsoft.com/productupdates/. But Ollman says this site is less well known than its equivalent for Microsoft’s Windows operating systems, at http://windowsupdate.microsoft.com/, meaning fewer people may repair their software.