At the time when online Christmas shopping is at its peak, several vulnerabilities affecting Microsoft applications have been identified, two affecting Microsoft Word and the other affecting Windows Media Player. These flaws could allow malicious programs to be run on victims’ computers to capture confidential information.
Malware creators have recently turned to obtaining financial benefit, making it very likely that these vulnerabilities will be exploited to install Trojans or bots that could compromise confidentiality of online transactions, such as Internet shopping, or visits to online banking services.
The first of the two Microsoft Word vulnerabilities could allow remote code execution by means of a specially crafted file, whereas the second flaw, still under investigation, could also be exploited through specially crafted files.
Versions affected by the first vulnerability are (source: Microsoft’s advisory): Microsoft Word 2000, 2002, 2003, 2004 for Mac and v. X for Mac. Apart from Microsoft Word, other programs such as Microsoft Word Viewer 2003 and Microsoft Works 2004, 2005, and 2006 are also affected.
The second flaw affects Word 2000, 2002, 2003 and Word Viewer 2003. Microsoft Word 2007 is not vulnerable. To avoid the action of exploits created for Word, Microsoft advises users not to open files from unfamiliar sources.
Finally, the Windows Media Player flaw, would allow arbitrary code to be run in Windows Media Player under certain circumstances and by means of a specially crafted ASX file.
Source: Panda Software.