Microsoft is investigating a Windows bug that can crash PCs, requiring users to reboot. All unsaved data would be lost.
First reported two days ago by Symantec's DeepSight threat network, the flaw is in the OLE32.DLL library file, which is a required Windows component called during object linking and embedding operations, such as inserting a Microsoft Excel worksheet inside a Word document.
Attackers can exploit the OLE32.DLL vulnerability by crafting a malicious Word document, then duping users into downloading the document or opening it when it arrives via e-mail. Software that's linked to OLE32.DLL, such as the Windows Explorer file navigator, will crash, said Symantec.
The flaw affects Windows XP and Windows 2000.
"At a minimum, this vulnerability will cause Microsoft Windows Explorer to crash," read an alert issued yesterday by US-CERT, the federally funded threat center. If Explorer crashes, Windows becomes unusable; the only way to recover the system is with a hard reboot.
Both Symantec and US-CERT warned that it might be possible for attackers to use the bug to insert their own code on the compromised computer. "The complete impact of this vulnerability is not known," US-CERT said. "Memory corruption does occur, but it is not clear if this can be leveraged to execute arbitrary code."
Microsoft said its security team is looking into the bug. "Microsoft is aware of a report of a possible vulnerability and is currently investigating the issue," said a spokesperson. "The company is not aware of any attacks attempting to use the reported vulnerability or of customer impact at this time, and it will continue to investigate."
Microsoft did not promise it would issue a patch, much less offer a timetable. Until a fix is in place, Symantec and US-CERT recommended that users not open unfamiliar or unexpected Office documents. US-CERT also warned that filtering for standard Office file extensions -- .doc for Office, .xls for Excel, for example -- isn't smart. "In most cases, Windows will call Office to open a document even if the document has an unknown file extension," US-CERT said.