Home Alert! Be On Guard Against Microsoft Word Worms In Your Email

Alert! Be On Guard Against Microsoft Word Worms In Your Email

Until Microsoft discloses – and patches – a new Word vulnerability on Tuesday, anyone using Microsoft’s Outlook email program and its Word word processor should be even more cautious than usual.

That’s because one of Microsoft’s security bulletins for December includes a “Critical” vulnerability for Microsoft Word, one of the few times Microsoft has attached the “Critical” tag to a Word issue. 

Waiting For Patch Tuesday

Microsoft’s standard practice is to give a heads-up on the number of vulnerabilities it plans to fix on “Patch Tuesday,” the second Tuesday of every month. On that day, Microsoft releases the patches themselves, and discloses the vulnerabilities that they fix. (If it revealed the problems before providing the solutions, of course, black-hat hackers could exploit the hole.) So at this point, we don’t know what exactly what problems the current, unpatched version of Word hides.

In October, however, Microsoft disclosed a hole in Microsoft Word 2007 and Microsoft Word 2010 that allowed an attacker to take over a PC just by viewing an infected RTF file. That was a significant vulnerability; most modern attacks are triggered when a user views a Web page, or at least clicks a link. The October vulnerability was much more passive, and could be triggered just by idly scrolling down your inbox. Once your machine was infected, the attacker would have the same administrative rights as you do – and if you run as administrator, the attacker could completely control your machine.

Tuesday’s vulnerability appears to be even more severe: It can target Office 2003, 2007 and 2010, as well the Microsoft Word Viewer and Compatibility Pack. As security reporter Fahmida Rashid notes, it’s a  good bet that the inclusion of “Word Viewer” means that the new vulnerability allows a similar, passive attack. But note that it does not include Office 2012, so if you own a Surface tablet with the latest Office version, you should be safe.

In total, there are seven updates, which will even ensnare Windows RT. The Windows RT update will be provided by Microsoft, either via the Windows Store, Microsoft Update or Windows Update, a Microsoft spokeswoman said in an email.

How To Defend Yourself

At this point, Outlook/Word users can do several things to help mitigate the threat of any vulnerabilities.

First, always – always – allow Windows to download its approved patches. It’s probably best to allow Windows to install them, too, although users who leave their PCs on, as I do, risk getting caught by an unexpected reboot. While this shouldn’t be a problem for Word users, the inability of modern browsers to “save” inside a Web service can play havoc with your workflow. So it’s up to you whether you want to install the patches automatically.

Second, turn your caution up a notch. At this point, most Web users have a finely honed sense of what is spam and what isn’t, and are able to detect most phishing attempts (misspellings and malformed URLs are common clues). But for now, you’ll have to try and detect whether or not an email is malicious from the subject line. Users and companies who rely a Web-based version of their email (like Google Apps) may have an advantage here.

Third, never run in admininstrator mode. Yes, not having admin rights can be a pain sometimes. But if an attacker can gain the same levels of administrative rights as you can, downgrading your own status to a user might help offer at least a bit of protection. 

(Fourth: Get a Mac. There, are you happy?)

It’s not clear that there are, in fact, any worms or attackers with live code exploiting this in the wild. But there almost certainly will be starting on Tuesday, when Microsoft reveals the exploit and the patch and attackers hope to catch complacent Windows users napping. Don’t be one of them.

Image source: Flickr/davef3138

About ReadWrite’s Editorial Process

The ReadWrite Editorial policy involves closely monitoring the tech industry for major developments, new product launches, AI breakthroughs, video game releases and other newsworthy events. Editors assign relevant stories to staff writers or freelance contributors with expertise in each particular topic area. Before publication, articles go through a rigorous round of editing for accuracy, clarity, and to ensure adherence to ReadWrite's style guidelines.

Get the biggest tech headlines of the day delivered to your inbox

    By signing up, you agree to our Terms and Privacy Policy. Unsubscribe anytime.

    Tech News

    Explore the latest in tech with our Tech News. We cut through the noise for concise, relevant updates, keeping you informed about the rapidly evolving tech landscape with curated content that separates signal from noise.

    In-Depth Tech Stories

    Explore tech impact in In-Depth Stories. Narrative data journalism offers comprehensive analyses, revealing stories behind data. Understand industry trends for a deeper perspective on tech's intricate relationships with society.

    Expert Reviews

    Empower decisions with Expert Reviews, merging industry expertise and insightful analysis. Delve into tech intricacies, get the best deals, and stay ahead with our trustworthy guide to navigating the ever-changing tech market.