I wanted to let you know that we have just posted Microsoft Security Advisory (950627).
This advisory contains information about a very limited, targeted attack exploiting a vulnerability in Microsoft Jet Database Engine. Our initial investigation has shown that this vulnerability affects customers using Microsoft Word 2000 Service Pack 3, Microsoft Word 2002 Service Pack 3, Microsoft Word 2003 Service Pack 2, Microsoft Word 2003 Service Pack 3, Microsoft Word 2007 and Microsoft Word 2007 Service Pack 1 on Microsoft Windows 2000, Windows XP, or Windows Server 2003 Service Pack 1.
Customers running Windows Server 2003 Service Pack 2, Windows Vista, and Windows Vista Service Pack 1 are not vulnerable to the buffer overrun being attacked, as they include a version of the Microsoft Jet Database Engine that is not vulnerable to this issue.
We’ve activated our Software Security Incident Response Process (SSIRP) to investigate the vulnerability and have identified steps customers can take to protect themselves in the workaround section. As part of our SSIRP process, we currently have teams working to develop an update of appropriate quality for release in our regularly scheduled bulletin process or as an out-of-band update, depending on customer impact. In the meantime, we encourage customers to review the advisory and implement the workarounds.
While the attack appears to be targeted, and not widespread, we are monitoring the issue and are working with our MSRA partners to help protect customers. We will update the Advisory and this blog as new information becomes available.
Bill Sisk
*This posting is provided “AS IS” with no warranties, and confers no rights.*