WASHINGTON: Microsoft has discovered a dangerous bug in its office that can affect every version of Windows, except Windows Server 2003.
And hackers are already exploiting the flaw to trick people into opening infected files and taking over their entire computer.
In an official advisory notice, Microsoft said it is ‘aware of a vulnerability affecting all supported releases of Microsoft Windows. ‘The vulnerability could allow remote code execution if a user opens a specially crafted Microsoft Office file that contains an OLE object.’
OLE (Object Linking and Embedding) is a technology that allows applications to share data and functionality. An attacker who successfully takes advantage of this vulnerability could gain the same user rights as the current user on any targeted computer. It affects all supported versions of Microsoft Windows, which includes Windows Vista, Windows Server 2008, Windows 7, Windows 8, Windows Server 2012, and Windows RT.
What is the vulnerability?
In an official advisory notice, Microsoft said it is ‘aware of a vulnerability affecting all supported releases of Microsoft Windows. ‘The vulnerability could allow remote code execution if a user opens a specially crafted Microsoft Office file that contains an OLE object.’
Which versions of Windows are affected?
It affects all supported versions of Microsoft Windows, which includes Windows Vista, Windows Server 2008, Windows 7, Windows 8, Windows Server 2012, and Windows RT. Windows XP is no longer supported – which means that when Microsoft issues updates, users running this operating system don’t receive them – however, that doesn’t mean it is guaranteed to be safe from attack.
What is OLE?
OLE (Object Linking and Embedding) is a technology that allows applications to share data and functionality.
For example, a compound Microsoft Word document may contain an embedded Microsoft Excel spreadsheet, known as an OLE object. This technology also enables in-place editing, so instead of launching a new application when an OLE object is activated, the user instead can edit it inside their their existing application.
Which files are at risk?
The current Office flaw is already being exploited in a number of ‘limited, targeted attacks’ in which infected Microsoft PowerPoint files are being sent over email.However, in theory, any Office file is at risk, including Word documents and Excel spreadsheets.
What might an attacker use the vulnerability to do?
An attacker who successfully takes advantage of this vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
How can I protect myself?
Microsoft has issued a temporary fix that users can install to protect themselves ahead of a wider security update. It is also advising people not to open unidentified files.