Microsoft products also vulnerable to Mozilla flaw

Popular Microsoft products may be vulnerable to a security vulnerability that is similar to one patched for the Mozilla Web browsers last week.

Microsoft's MSN Messenger and Word word processing application both support a feature that could give remote users access to functions that could be used launch applications on Windows computers, according to an alert from Secunia, which tracks software vulnerabilities.

A Microsoft spokeswoman said the company is investigating the reports, but is not aware of any attacks using the vulnerabilities.

The applications both fail to restrict access to the "shell:" URI (Universal Resource Identifier), a feature that allows Windows users or software applications to launch programs associated with specific file extensions such as doc (associated with Word) or txt (associated with Notepad, the Windows text editing program), said Secunia.

Malicious hackers could launch programs associated with specific extensions using links embedded in Word documents or instant messages sent using MSN. However, the vulnerability does not allow attackers to pass instructions to the programs, which would allow more sophisticated attacks, Secunia said.

On Thursday, the Mozilla Foundation issued patches for a similar flaw in Windows versions of its Web browsers, Firefox and Thunderbird, and the Mozilla Application Suite.

News of the Mozilla flaws came amid increasing interest in alternative Web browsers after news broke about a number of serious security vulnerabilities in Microsoft's Internet Explorer Web browser that were being used in stealthy Web-based attacks.

According to data compiled by WebSideStory Inc., a San Diego Web measurement company, Internet Explorer's share of the browser market dropped by 1 percent in the last month, the first noticeable decline since the company began tracking the browser market in late 1999.

On July 2, Microsoft released a software update that disables a Windows component called ADODB.Stream, which was used in the Web attacks, and promised more updates for Windows and Internet Explorer to address the security issues.

If necessary, Microsoft could issue a fix for the MSN Messenger and Word flaws through its monthly software update process or an emergency patch, the company spokeswoman said.

The Redmond, Washington, software company expressed displeasure at the release of information on the product vulnerabilities, which were first publicized in the Full-Disclosure discussion list, a public online forum for those interested in computer software vulnerabilities.

"We continue to encourage responsible disclosure of vulnerabilities. We believe the commonly accepted practice of reporting vulnerabilities directly to a vendor serves everyone's best interests, by helping to ensure that customers receive comprehensive, high-quality patches for security vulnerabilities with no exposure to malicious attackers while the update is being developed," the company said in an e-mail statement.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Paul Roberts

IDG News Service
Show Comments

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

David Coyle

Brother PocketJet PJ-773 A4 Portable Thermal Printer

I rate the printer as a 5 out of 5 stars as it has been able to fit seamlessly into my busy and mobile lifestyle.

Kurt Hegetschweiler

Brother PocketJet PJ-773 A4 Portable Thermal Printer

It’s perfect for mobile workers. Just take it out — it’s small enough to sit anywhere — turn it on, load a sheet of paper, and start printing.

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?