Researchers have reported a new Microsoft vulnerability in Windows Help (HLP) files, coinciding with this week’s Patch Tuesday release.
The flaw enables an attacker to use a heap overflow to execute arbitrary code.
Lau urged email users not to open any HLP files from untrusted sources and to employ safe computing practices.
A Microsoft spokesperson said today that the company is investigating reports of a flaw, but is not aware of any attacks in the wild taking advantage of it.
"Microsoft’s initial investigation has found that the possible vulnerability would require an attacker to use an HLP file," said the spokesman, adding that HLP files are listed as unsafe file types by the company.
Meanwhile, "Muts," the hacker who this week published proof-of-concept (PoC) code for what he said are just-discovered flaws in Word 2007, said on his blog today that he has received messages from users of the Full Disclosure mailing list confirming a system crash when the bugs were used. He also provided screenshots of Word crashing.
Microsoft refuted the claims again today, saying a company investigation had not verified the claims.
Amol Sarwate, director of Qualys’ vulnerability research lab, told SCMagazine.com on Wednesday that it is becoming more common for flaws to be discovered and exploits released around Patch Tuesday so attackers have maximum time for exploitation.
Click here to email Online Editor Frank Washkuch Jr.
Looking for a new job? SCMagazine.com has the latest IT security employment opportunities. Click here for our jobs page.