Today we released bulletin MS09-024 that fixes vulnerabilities in text converters for the Microsoft Works document file format (WPS).
Reduced impact if Microsoft Office is installed
The Works converters included with Microsoft Word are vulnerable. However, the Microsoft Word installer does not associate the WPS file extension with Word. So a user double-clicking a WPS file attachment for the first time would see the following dialog:
The vulnerable Works document file format converter would only be loaded if a user selects Microsoft Word using the "Select the program from a list" option or if a user had previously selected Word to be the default editor for WPS files. If a user were to open the WPS file from the Microsoft Word interface using "File" -> "Open", this prompt would not appear. Howevever, the "Workarounds" section of the MS09-024 security bulletin describes how to disable access to the converter completely.
You may be at reduced risk to the vulnerabilities addressed by the MS09-024 update if you have installed Microsoft Word and have not associated the WPS file format with Microsoft Word.
Update June 10: The vulnerable code is not reachable by a WPS renamed to use a DOC file extension.
- Greg Wroblewski, MSRC Engineering
*Postings are provided "AS IS" with no warranties, and confers no rights.*