Yet Another MS Word Flaw Surfaces
On Sunday, Microsoft acknowledged the existence of another vulnerability in Word 2003, though declined to release details on the nature of this new find, other than to say it's different than the discovery of a heap overflow trigger last week by security research firm eEye.
While Microsoft referred to "reports" of a second vulnerability, it did not credit anyone specifically with those reports, leaving news sources with only the requisite news that a problem does exist - which is often enough to chew on.
Yet Microsoft has not yet released a formal Security Advisory for this problem, which could leave some to speculate as to why this particular problem shouldn't fit the traditional profile.
What the company's Security Response Center blog was willing to say this morning was that it knows of an active exploit involving this newfound hole, though one that's used in a "limited, targeted" way. In a blog post from a few days earlier -- prior to the unknown new hole being acknowledged -- MSRC's Christopher Budd wrote, "When we talk about 'very limited, targeted attacks' we specifically mean this in contrast to attacks that affect a broad number of customers randomly. Unlike these broad, random attacks, these very limited, targeted attacks are carried out against a very small number of customers (sometimes only one or two even) and are carried out in a very deliberate fashion against a specific organization or organizations."
But why would Microsoft choose to have its Security Response Center acknowledge a vulnerability, yet not issue a Security Advisory to that same effect? It would seem the result would only be to send the general press and other security advisory firms into a state of panic.
Sure enough, ABC News ran a PC Magazine story by Larry Seltzer on Microsoft's acknowledgement, with the heading, "What's Up, .DOC?" though providing no other details beyond what MSRC provided. And Secunia this morning rated the problem as "extremely critical," even though the advisory basically concedes the firm doesn't know what it is.
In a criminal investigation, a law enforcement agency often releases limited details to the public, in an attempt to flesh out the details from others who - perhaps even unwittingly - might contribute new information. One can imagine any number of "Law & Order" episodes where the detective taking the deposition from the oh-so-innocent informant asks, "How did you know the victim had red hair?" Quite possibly, this particular investigation may be taking on the flavor of that kind of investigation.
One more clue in favor of that theory comes from Christopher Budd's explanation of "very limited, targeted attacks" from last week: "Part of our investigation showed that the attacks were specifically attempting to introduce malicious software rather than propagate themselves to additional customers." If so, then as the detective might say, that's motive.