A new security hole discovered Monday makes it possible to host on the Web a Word document that points to an Access database containing malicious Visual Basic code that could erase files, send personal information to other computers or result in a system crash.
"The problem is, MS Word accepts an Access database as a data source in Mail Merge," says an alert written by security expert Georgi Guniski, who discovered the hole.
A Microsoft executive downplayed the hole's significance. "Even in the worst case, this is much less of a problem than it has been reported to be," says Scott Culp, security product manager for Microsoft's Security Response Team.
But at least one researcher disagreed with Microsoft's dismissal of the vulnerability. "It's pretty serious," says Elias Levy , CTO of security portal SecurityFocus.com.
Although Levy says there are no known victims of the hole yet, he says any computer user who receives an e-mail with a hyperlink or visits a Web site that hosts a Word document designed to point to an Access database containing the malicious code could be susceptible.
Culp points out, however, that someone would first have to get the Access database onto a user's computer or in their local area network. The user would have to be compelled to visit the Web site or link to it via e-mail, he said, adding that, "Most people do not visit malicious Web sites."
If the user has the Office Document Open Confirmation Tool installed, the user will be asked whether the Word document should be opened or not. If a user doesn't have that tool, the Mail Merge function in Word would be used to open the Access database and cause the code within it to run.
"It's a fairly complicated issue," Culp says. "People who have taken reasonable steps to protect themselves are not going to be at risk from this vulnerability."
Culp said Microsoft's investigation into the hole is pending. It remains unclear when or if Microsoft will release a patch for the hole.
Levy acknowledges that most corporations will have firewalls that would protect against the hole's file-sharing capability, but he says the exploit – just the latest of many affecting Microsoft software – points to the need to be proactive in protecting computer users from such vulnerabilities.
"It is obvious that the current approach of releasing code and patching it when a bug is found is not working," he says. "The current security technology in consumer operating systems is woefully inadequate for the Internet age."
Levy suggests that operating systems should include capabilities such as privilege settings, information labels and data-tainting, all of which could help computer users distinguish trusted data sources from questionable ones.
But Culp said the digital signature technology in all Windows operating systems could help users differentiate between code they want to execute and code they don't.
"Even in the absence of something like the Open Confirmation Tool," he says, "you can always check for a digital signature on any file."