Microsoft products also vulnerable to Mozilla flaw
- 13 July, 2004 08:18
Popular Microsoft products may be vulnerable to a security vulnerability that is similar to one patched for the Mozilla Web browsers last week.
Microsoft's MSN Messenger and Word word processing application both support a feature that could give remote users access to functions that could be used launch applications on Windows computers, according to an alert from Secunia, which tracks software vulnerabilities.
A Microsoft spokeswoman said the company is investigating the reports, but is not aware of any attacks using the vulnerabilities.
The applications both fail to restrict access to the "shell:" URI (Universal Resource Identifier), a feature that allows Windows users or software applications to launch programs associated with specific file extensions such as doc (associated with Word) or txt (associated with Notepad, the Windows text editing program), said Secunia.
Malicious hackers could launch programs associated with specific extensions using links embedded in Word documents or instant messages sent using MSN. However, the vulnerability does not allow attackers to pass instructions to the programs, which would allow more sophisticated attacks, Secunia said.
On Thursday, the Mozilla Foundation issued patches for a similar flaw in Windows versions of its Web browsers, Firefox and Thunderbird, and the Mozilla Application Suite.
News of the Mozilla flaws came amid increasing interest in alternative Web browsers after news broke about a number of serious security vulnerabilities in Microsoft's Internet Explorer Web browser that were being used in stealthy Web-based attacks.
According to data compiled by WebSideStory Inc., a San Diego Web measurement company, Internet Explorer's share of the browser market dropped by 1 percent in the last month, the first noticeable decline since the company began tracking the browser market in late 1999.
On July 2, Microsoft released a software update that disables a Windows component called ADODB.Stream, which was used in the Web attacks, and promised more updates for Windows and Internet Explorer to address the security issues.
If necessary, Microsoft could issue a fix for the MSN Messenger and Word flaws through its monthly software update process or an emergency patch, the company spokeswoman said.
The Redmond, Washington, software company expressed displeasure at the release of information on the product vulnerabilities, which were first publicized in the Full-Disclosure discussion list, a public online forum for those interested in computer software vulnerabilities.
"We continue to encourage responsible disclosure of vulnerabilities. We believe the commonly accepted practice of reporting vulnerabilities directly to a vendor serves everyone's best interests, by helping to ensure that customers receive comprehensive, high-quality patches for security vulnerabilities with no exposure to malicious attackers while the update is being developed," the company said in an e-mail statement.