Exploit Code Targets Third Microsoft Zero-Day Word Bug
The new unpatched bug was reported Wednesday, and exploit proof-of-concept code has been posted on a Web site.
Microsoft Thursday said it was investigating yet another Word vulnerability, the third in the last nine days, while security researchers warned that exploit code to take advantage of it was already spotted in the wild.
The new unpatched bug, or "zero-day" vulnerability, was reported Wednesday by eEye Digital Security, which warned users that exploit proof-of-concept code had been publicly posted on the milw0rm.com Web site.
"Because details are at a minimum for the other two active zero-day vulnerabilities originally reported by Microsoft, it is presumed that this disclosed vulnerability is actually a third and separate vulnerability," the eEye alert read.
A Microsoft spokesperson confirmed that the company's security team was looking into the new problem.
"Microsoft is investigating new public reports of a possible vulnerability in Microsoft Word [and] will continue to investigate the public reports to help provide additional guidance for customers as necessary," the spokesperson said in an e-mail. "Upon completion of this investigation, Microsoft will take appropriate action, [which] may include providing a security update through our monthly release process or providing an out-of-cycle security update, depending on customer needs."
According to eEye, Word 2000, 2002, and 2003 are affected, as is Word Viewer 2003. A successful exploit of the bug could let an attacker seize control of the PC.
This is the third zero-day Word flaw disclosed since Dec. 5; none has been patched by Microsoft, which issued its December updates Tuesday without repairing the popular word processor.
Although out-of-cycle patches are rare—Microsoft has issued only two this year—the company typically responds faster when a number of vulnerabilities appear in a short time and/or when media reports aggressively track the bugs. In both out-of-cycle instances this year, the Zeroday Emergency Response Team (ZERT), a loose affiliation of security researchers, had issued its own patch before Microsoft rushed the official fix into distribution.
But ZERT has given no indication that it will patch this, or either of the other two, Word bugs.
Building A Mobile Business MindsetAmong 688 respondents, 46% have deployed mobile apps, with an additional 24% planning to in the next year. Soon all apps will look like mobile apps – and it's past time for those with no plans to get cracking.
Join us for a roundup of the top stories on InformationWeek.com for the week of December 7, 2014. Be here for the show and for the incredible Friday Afternoon Conversation that runs beside the program!