Add as a preferred source on Google


News

New Word, Windows Vulnerabilities Surface

It's been a rocky 2007 for Microsoft Corp.'s Word productivity app, but April might just be the cruelest month of all. Redmond this week was alerted to a spate of new security flaws in its vulnerability-ridden Word -- only this time, the victim is Microsoft's brand-new Word 2007 application.

Elsewhere, security mailing lists were abuzz with talk of another new Windows vulnerability: a flaw in Microsoft's Windows Help implementation.

The new Word flaws affect only the Office 2007-flavored version of that product. That wasn't the case in February, when Microsoft released a roll-up fix to patch a quartet of vulnerabilities in its Word 2000, Word 2002 (XP), Word 2003 and Word for Macintosh. Several of the vulnerabilities were linked to known zero day attacks. Ironically, Word 2007 was invulnerable to those attacks.

The new flaws, which were disclosed on the Bugtraq mailing list, could make Word 2007 susceptible to Remote Code Execution and denial-of-service (DoS) exploits, according to their discoverer, Israeli security researcher Mati Aharoni. The more serious of the two -- a buffer overflow in Word 2007's WWLIB.DLL -- can allow both DoS and remote code execution attacks, Aharoni claimed.

He also disclosed the possibility of "multiple unspecified vulnerabilities" in Word 2007 that attackers could exploit to cause DoS. Aharoni has developed proof-of-concept code in the form of malicious documents.

Neither issue has yet been confirmed by Microsoft; their status at the Common Vulnerabilities and Exposures (CVE) repository is currently listed as "Under Review."

Little is known about the impact of the Windows Help flaw, which affects files with the .HLP extension. An attacker can exploit it by crafting a malicious .HLP file which -- when executed -- triggers a heap-based buffer overflow. The complete ramifications of doing so are, at present, unknown. A similar issue was identified last year; that vulnerability was linked to a remote code execution exploit.

The most recent Windows Help vulnerability, like the Word 2007 flaws, was identified by Aharoni.

About the Author

Stephen Swoyer is a Nashville, TN-based freelance journalist who writes about technology.

Featured

  • Microsoft Dismantles RedVDS Cybercrime Marketplace Linked to $40M in Phishing Fraud

    In a coordinated action spanning the United States and the United Kingdom, Microsoft’s Digital Crimes Unit (DCU) and international law enforcement collaborators have taken down RedVDS, a subscription based cybercrime platform tied to an estimated $40 million in fraud losses in the U.S. since March 2025.

  • Sound Wave Illustration

    CrowdStrike's Acquisition of SGNL Aims to Strengthen Identity Security

    CrowdStrike signs definitive agreement to purchase SGNL, an identity security specialist, in a deal valued at about $740 million.

  • Microsoft Acquires Osmos, Automating Data Engineering inside Fabric

    In a strategic move to reduce time-consuming manual data preparation, Microsoft has acquired Seattle-based startup Osmos, specializing in agentic AI for data engineering.

  • Linux Foundation Unites Major Tech Firms to Launch Agentic AI Foundation

    The Linux Foundation today announced the creation of a new collaborative initiative — the Agentic AI Foundation (AAIF) — bringing together major AI and cloud players such as Microsoft, OpenAI, Anthropic and other major tech companies.

Most   Popular