IDG News Service - Hackers continue to poke holes in Microsoft Corp.'s Office software.
Symantec Corp. has warned that an unpatched flaw in the Windows 2000 version of Microsoft Office 2000 is being used by attackers to run unauthorized software on victims' computers.
Microsoft today confirmed that the bug exists but would not say when it plans to fix the problem.
The critical vulnerability was first reported by Symantec to users of its DeepSight threat notification service. Attackers are exploiting the flaw by sending malicious Word documents to victims, Symantec said. When these documents are opened, Word is tricked into installing malicious software on the PC.
Symantec is calling this malware Trojan.MDropper.
Trojan.MDropper installs malicious software on the computer, which in turn installs another Trojan horse program, "which turns out to be new variant of Backdoor.Femo," Symantec said in a Web posting. Symantec testers have not been able to exploit the problem on more up-to-date versions of Office or Windows.
Microsoft is investigating the issue and may release a patch once its investigation is completed, according to its public relations agency.
Microsoft has spent a lot of time investigating and patching Office applications this year. Over the past few months there have been several reports concerning very targeted attacks, similar to this latest Office issue.
Microsoft's last few security updates have been filled with patches for Office flaws, many of which had already been used in attacks.
Free Insider GuideCopyright © 1994 - 2012 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.
