Courtesy of http://www.GeerCom.com.
Geer Communications - your on-time technology writer!

Welcome!

My own experience having been that it's difficult at best to find critical Office and Word updates and install them, hearing "word" of yet another Word vulnerability is discouraging.

The article linked above begins by warning about opening Microsoft Office attachments.

First of all, and apart from the topic at hand, if you don't know the sender, don't open it. If you know the sender, don't open it until you've called them to confirm it is OK. Third, save the email with the file to your desktop and run a virus scan on it to confirm it's OK before opening the file itself.

It's hardly foolproof, but at least you've done something.

If you get a Word document with an exploit for the vulnerability discussed in the article, it will come in the form of a string of code in the document that can corrupt memory on the PC on which it is running. This memory corruption is an open door for attackers to run their software on your system.

The vulnerability is formally an unpatched memory corruption error, which exists because the MSFT Word software is (errantly) coded. Microsoft is already investigating reports of attacks.
Many versions of Word are affected. This is a critical vulnerability.

The purpose of these attacks is to quickly exploit the undiscovered vulnerability before the patch is available--a zero day or Oday attack. With the millions of lines of code present in Microsoft software, one can expect this scenario to repeat itself across Microsoft's most popular products indefinitely.

As the article continues, cybercriminals do indeed advantage themselves of the window of opportunity that appears between the moment they--and, as yet, no one else--discover the vulnerability and the point when the patches are out and sufficiently deployed.

In that interim, they get in, set up shop with the malware they need to perpetrate ID theft and other fraud and rob consumers blind. Whatever they can haul away between now and December 12, the date that patch arrives, is theirs for the taking. They seldom are caught, even as they prepare to repeat the process again, and again, and again.

So, whose job is security? It's everyone's job, including yours.

If you don't want it stolen, don't put it on your system. Secure your system to the hilt with layered security. Enlist the aid of your financial institutions in protecting your assets if you do any banking, investing, other financial records checking or transactions online.

Even if you don't do anything high risk on your system, security it as though you did. Attackers take charge of weak systems to use them in armies of drone computers called botnets that work together on the Internet to server the purposes of the fraudsters and thieves who have taken control of them.

Don't be a party to it. "Ask not what your Internet can do for you. Ask what you can do for your Internet."

Best,
David Geer - your on time technology writer!
Geer Communications