Friday, December 15, 2006

Symantec and Microsoft Vulnerability Reports

While the Microsoft Security Response Center (MSRC) provided an update on the three reported Microsoft Word vulnerability reports, Marc Maiffret, eEye's chief technology officer, took Symantec to task for downplaying the threat of a worm last spring. That worm is now successfully attacking unpatched Symantec enterprise anti-virus software because, according to Maiffret, companies focus too much attention on Microsoft's flaws and ignore those from other vendors. Also pointed out by Maiffret is the lack of a proper update mechanism by such companies.

Maiffret did not limit his criticism to Symantec but also included "short-sighted enterprises". More information on the worm, which also has a botnet component, as well as Maiffret's comments are available in Gregg Keizer's article, "Worm Attacks Symantec Enterprise Anti-Virus".

Returning to the MSRC report on the Microsoft Word vulnerabilities, the recommendation remains. Do not open any document (Word or otherwise) if you do not recognize the sender. The report includes the following:
"1. CVE-2006-5994 – This issue is discussed in Microsoft Security Advisory 929433. Our ongoing monitoring indicates that this is subject to very limited and targeted attacks.

2. CVE-2006-6456 – This issue is discussed in our blog posting from December 10. Our ongoing monitoring indicates that this also is currently subject to very limited and targeted attacks. Our investigation so far indicates that this issue affects Word 2000, Word 2002, Word 2003 and Word Viewer 2003.

3. CVE-2006-6561 – This is a new issue. At this time we’re aware only of Proof of Concept code: we’re not aware of any attacks at this time. Our initial investigation indicates that this issue affects Word 2000, Word 2002 and Word Viewer 2003.

The guidance, as far as steps that customers can take to protect themselves, that we’ve provided in Microsoft Security Advisory 929433 applies to all three issues. Our teams are continuing their research to find additional workarounds and if we have new information we’ll post that updated information in the advisory."

The MSRC also posted an update and apology for any confusion on the "accidental posting of pre-release security updates for Office for Mac".

No comments: