An unpatched bug in a file installed with Microsoft's Office and Visual Studio software could lead to some serious problems for Internet Explorer users.
An attacker could seize control of a vulnerable system by adding malicious code to a Web page that exploited a memory corruption error in Microsoft Office 2002 and Microsoft Visual Studio .Net 2002, reported FrSIRT (French Security Incident Response Team).
Though the attack would be executed via the popular Internet Explorer browser, only systems that contain the file in question, called Msdds.dll, are vulnerable, FrSIRT said. The FrSIRT said it has not yet seen a patch for the vulnerability.
Msdds.dll is software that is used for creating customised Office applications, according to Russ Cooper, senior information security analyst for Cybertrust. Cooper does not believe that this file has been installed on a large number of Windows systems. "I'm not concerned about it," he said. "I don't doubt it is shipped with the full Office Professional installation CD, but I highly doubt it is installed automatically."
Neither Microsoft nor FrSIRT could say whether this file was installed by default with Office or Visual Studio.
A Microsoft spokeswoman would also not say whether or not a patch is planned for the Msdds.dll bug, but the company has since published a security advisory discussing the problem and including a number of work-arounds.
A SANS Institute alert with instructions on how to check for the Msdds.dll file can be found here.