Microsoft mega patch misses critical bug

On the same day Microsoft released its biggest batch of security patches in more than five years, it also warned Windows users of a critical bug that it didn’t get around to fixing.

In an advisory posted Tuesday, Microsoft said that “limited and targeted” attacks are in progress by hackers exploiting an unpatched vulnerability in the WordPad Text Converter, a tool included with all versions of Windows. The flawed converter handles Microsoft Word 97 files on Windows 2000 Service Pack 4 (SP4), XP SP2, Server 2003 SP1 and SP2.

Newer versions of Windows — XP SP3, Vista and Server 2008 — are not vulnerable to the bug, however.

More from ITWorld Canada

Eight worst Windows flaws of the decade

WordPad is a basic word processor that’s been bundled with Microsoft’s operating system since Windows 95. The converter allows people who don’t have the company’s Word application to open documents in Windows Write, Word 6.0, Word 97, Word 2000 and Word 2002 formats.

Microsoft said that the WordPad converter bug requires some help from the user, who must be tricked into actually opening a malicious file — most likely delivered as an e-mail attachment.

It also gave users equipped with Word some additional advice about how to block attacks. “When Microsoft Office Word is installed, Word 97 documents are by default opened using Word, which is not affected by this vulnerability. However, an attacker could rename a malicious file to have a Windows Write (.wri) extension, which would still invoke WordPad. This file type can be blocked at the Internet perimeter,” the advisory said.

As it almost always does in its advisories, Microsoft was vague about whether it plans to patch the problem. “Upon completion of this investigation, Microsoft will take the appropriate action to help protect our customers,” the boilerplate read. “This may include providing a security update through our monthly release process or providing an out-of-cycle security update, depending on our customer needs.”

The last time Microsoft issued a security advisory was in late October, just days after it released an emergency patch for Windows, when it told users that exploit code had made it to the Web. That bug was later exploited by several pieces of malware, including the “Conficker.a” worm , which some researchers said was being used to build a massive botnet.

In one case, it took Microsoft seven years to patch a critical flaw.

If Microsoft does patch the WordPad problem on its monthly schedule, the first opportunity for fixing the flaw would be Jan. 9, 2009.

Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.


Jim Love, Chief Content Officer, IT World Canada

Featured Download

Featured Articles

Cybersecurity in 2024: Priorities and challenges for Canadian organizations 

By Derek Manky As predictions for 2024 point to the continued expansion...

Survey shows generative AI is a top priority for Canadian corporate leaders.

Leaders are devoting significant budget to generative AI for 2024 Canadian corporate...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now