At the time when online Christmas shopping is at its peak, several vulnerabilities affecting Microsoft applications have been identified: two affecting Microsoft Word and the other affecting Windows Media Player. These flaws could allow malicious programs to be run on victims' computers to capture confidential information.
Luis Corrons, head of PandaLabs explains, "The existence of these vulnerabilities seriously compromises computer systems, as there is no solution available for them yet. This leaves the door open to the introduction of malicious codes in computers. This is one more example of the need to complement computer protection with proactive solutions."
Users of Panda Software security solutions are protected against any attempt to exploit the vulnerabilities above with its TruPrevent Technologies. These technologies prevent attackers from taking advantage of vulnerabilities, regardless of whether the code that they try to run on the target computer has been previously identified or not.
Malware creators have recently turned to obtaining financial benefit, making it likely that these vulnerabilities will be exploited to install Trojans or bots that could compromise confidentiality of online transactions, such as Internet shopping, or visits to online banking services.
The first of the two Microsoft Word vulnerabilities could allow remote code execution by means of a specially crafted file, whereas the second flaw, still under investigation, could also be exploited through specially crafted files.
Versions affected by the first vulnerability are (according to Microsoft's advisory at http://www.microsoft.com/technet/security/advisory/929433.mspx): Microsoft Word 2000, 2002, 2003, 2004 for Mac and v. X for Mac. Apart from Microsoft Word, other programs such as Microsoft Word Viewer 2003 and Microsoft Works 2004, 2005, and 2006 are also affected.
The second flaw, reported at http://blogs.technet.com/msrc/archive/2006/12/10/new-report-of-a-word-zero- day.aspx, affects Word 2000, 2002, 2003 and Word Viewer 2003. Microsoft Word 2007 is not vulnerable. To avoid the action of exploits created for Word, Microsoft advises users not to open files from unfamiliar sources.
Finally, the Windows Media Player flaw, reported at http://research.eeye.com/html/alerts/zeroday/20061122.html, would allow arbitrary code to be run in Windows Media Player under certain circumstances and by means of a specially crafted ASX file.