Microsoft has confirmed reports of a Word vulnerability that opens the door for an attacker to exploit a system. A vulnerability in the Microsoft Jet Database Engine, which shares documents with Access, Visual Basic and third-party applications, makes it possible.

Panda Software, McAfee and Symantec have all pointed to Microsoft Jet Database Engine flaws in past months, but Microsoft does not acknowledge the bug as a critical remote-execution vulnerability considering .mdb files are considered unsafe and Outlook is configured to block Access files when they are received as an attachment.

However, Elia Florio from Symantec’s protection response team doubts Microsoft’s stand is good ample. According to Symantec’s safety measure team, the attacker needs only to find a trick to force the Jet library to open a file and run malicious cipher.

“Some social engineering and a little help from Office applications will work out well in that specific attack. In fact, it is possible to signal MSJET40.DLL directly from

MS Word, without using Access at all,” Florio said. “In that attack, the .doc file uses mail-merge functionalities to import an external data-source file, and so it effectively forces MS Jet to load the malicious Access sample.”

Older Operating Systems Vulnerable

Customers using Microsoft Word 2000 Service Pack 3, Microsoft Word 2002 Service Pack 3, Microsoft Word 2003 Service Pack 2, Microsoft Word 2003 Service Pack 3, Microsoft Word 2007, and Microsoft Word 2007 Service Pack 1 on Microsoft Windows 2000, Windows XP, or Windows Server 2003 Service Pack 1 are vulnerable to attack.

However, customers running Windows Server 2003 Service Pack 2, Windows Vista, and Windows Vista Service Pack 1 include a version of the Microsoft Jet Database Engine that is not vulnerable, according to a Microsoft safety measure advisory.

“Microsoft is investigating the public reports and customer impact. We are plus investigating whether the vulnerability can be exploited…

Orginal post by Top Tech News