Software // Enterprise Applications
News
12/14/2006
01:55 PM
Connect Directly
RSS
E-Mail
50%
50%

Exploit Code Targets Third Microsoft Zero-Day Word Bug

The new unpatched bug was reported Wednesday, and exploit proof-of-concept code has been posted on a Web site.

Microsoft Thursday said it was investigating yet another Word vulnerability, the third in the last nine days, while security researchers warned that exploit code to take advantage of it was already spotted in the wild.

The new unpatched bug, or "zero-day" vulnerability, was reported Wednesday by eEye Digital Security, which warned users that exploit proof-of-concept code had been publicly posted on the milw0rm.com Web site.

"Because details are at a minimum for the other two active zero-day vulnerabilities originally reported by Microsoft, it is presumed that this disclosed vulnerability is actually a third and separate vulnerability," the eEye alert read.

A Microsoft spokesperson confirmed that the company's security team was looking into the new problem.

"Microsoft is investigating new public reports of a possible vulnerability in Microsoft Word [and] will continue to investigate the public reports to help provide additional guidance for customers as necessary," the spokesperson said in an e-mail. "Upon completion of this investigation, Microsoft will take appropriate action, [which] may include providing a security update through our monthly release process or providing an out-of-cycle security update, depending on customer needs."

According to eEye, Word 2000, 2002, and 2003 are affected, as is Word Viewer 2003. A successful exploit of the bug could let an attacker seize control of the PC.

This is the third zero-day Word flaw disclosed since Dec. 5; none has been patched by Microsoft, which issued its December updates Tuesday without repairing the popular word processor.

Although out-of-cycle patches are rare—Microsoft has issued only two this year—the company typically responds faster when a number of vulnerabilities appear in a short time and/or when media reports aggressively track the bugs. In both out-of-cycle instances this year, the Zeroday Emergency Response Team (ZERT), a loose affiliation of security researchers, had issued its own patch before Microsoft rushed the official fix into distribution.

But ZERT has given no indication that it will patch this, or either of the other two, Word bugs.

Comment  | 
Print  | 
More Insights
Building A Mobile Business Mindset
Building A Mobile Business Mindset
Among 688 respondents, 46% have deployed mobile apps, with an additional 24% planning to in the next year. Soon all apps will look like mobile apps – and it's past time for those with no plans to get cracking.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Tech Digest - June 10, 2014
When selecting servers to support analytics, consider data center capacity, storage, and computational intensity.
Flash Poll
Video
Slideshows
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Join InformationWeek’s Lorna Garey and Mike Healey, president of Yeoman Technology Group, an engineering and research firm focused on maximizing technology investments, to discuss the right way to go digital.
Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.