Microsoft May Release Out-of-Cycle Patch for Word Flaw

Microsoft confirmed "very limited, targeted" attacks on an open Word security flaw. The company is researching a patch.

Late Friday, Microsoft confirmed "very limited, targeted" attacks on an open Microsoft Word security flaw. The company is currently researching a patch -- one that it may not wait for its regular Patch Tuesday to release.

The flaw affects most versions of Word that are not running on Windows Server 2003 SP2, Vista or Vista SP1. Hackers can execute buffer overrun attacks by taking advantage of a flaw in Microsoft's Jet Database Engine (Jet) in Word that can allow the remote execution of code, according to Microsoft's security advisory on the issue. Windows Server 2003 and Vista are not vulnerable as they use a different version of Jet.

Microsoft is also investigating whether other products that use Jet may be vulnerable.

"Upon completion of this investigation, Microsoft will take the appropriate action to help protect our customers. This may include providing a security update through our monthly release process or providing an out-of-cycle security update, depending on customer needs," the company said.

For now, Redmond has posted a workaround for the flaw in the security advisory that shows administrators how to restrict Jet from running as well as block .MDB attachments through Microsoft Exchange or other mail systems.

Customers could also be infected via the Web if they are lured into visiting a Web site that "contains a specially crafted Word file that is used to attempt to exploit this vulnerability."

Microsoft said that because successfully exploiting the flaw requires "customers to take multiple steps" in order to be affected, the risk is "very limited." A successful attack would mean that the hacker would gain the same rights as the user of the machine.

About the Author

Becky Nagel is the vice president of Web & Digital Strategy for 1105's Converge360 Group, where she oversees the front-end Web team and deals with all aspects of digital strategy. She also serves as executive editor of the group's media Web sites, and you'll even find her byline on, the group's newest site for enterprise developers working with AI. She recently gave a talk at a leading technical publishers conference about how changes in Web technology may impact publishers' bottom lines. Follow her on twitter @beckynagel.


  • Microsoft Adding Google G Suite Migration in Exchange Admin Center

    Microsoft's Exchange Admin Center will be getting the ability to move Google G Suite calendar, contacts and e-mail data over to the Office 365 service "in the coming weeks."

  • Qualcomm Back in Datacenter Fray with AI Chip

    The chip maker joins a crowded field of vendors that are designing silicon for processing AI inference workloads in the datacenter.

  • Microsoft To Ship Surface Hub 2S Conference Device in June

    Microsoft on Wednesday announced a June U.S. ship date for one of its Surface Hub 2S conferencing room products, plus a couple of other product milestones.

  • Kaspersky Lab Nabs Another Windows Zero-Day

    Kaspersky Lab this week described more about a zero-day Windows vulnerability (CVE-2019-0859) that its researchers recently discovered, and how PowerShell was used by the exploit.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.