Exploit Code Targets Third Microsoft Zero-Day Word Bug - InformationWeek
Software // Enterprise Applications
01:55 PM
7 Key Cloud Security Trends Shaping 2017 & Beyond
Dec 15, 2016
Cloud computing is enabling business transformation as organizations accelerate time to market and ...Read More>>

Exploit Code Targets Third Microsoft Zero-Day Word Bug

The new unpatched bug was reported Wednesday, and exploit proof-of-concept code has been posted on a Web site.

Microsoft Thursday said it was investigating yet another Word vulnerability, the third in the last nine days, while security researchers warned that exploit code to take advantage of it was already spotted in the wild.

The new unpatched bug, or "zero-day" vulnerability, was reported Wednesday by eEye Digital Security, which warned users that exploit proof-of-concept code had been publicly posted on the milw0rm.com Web site.

"Because details are at a minimum for the other two active zero-day vulnerabilities originally reported by Microsoft, it is presumed that this disclosed vulnerability is actually a third and separate vulnerability," the eEye alert read.

A Microsoft spokesperson confirmed that the company's security team was looking into the new problem.

"Microsoft is investigating new public reports of a possible vulnerability in Microsoft Word [and] will continue to investigate the public reports to help provide additional guidance for customers as necessary," the spokesperson said in an e-mail. "Upon completion of this investigation, Microsoft will take appropriate action, [which] may include providing a security update through our monthly release process or providing an out-of-cycle security update, depending on customer needs."

According to eEye, Word 2000, 2002, and 2003 are affected, as is Word Viewer 2003. A successful exploit of the bug could let an attacker seize control of the PC.

This is the third zero-day Word flaw disclosed since Dec. 5; none has been patched by Microsoft, which issued its December updates Tuesday without repairing the popular word processor.

Although out-of-cycle patches are rare—Microsoft has issued only two this year—the company typically responds faster when a number of vulnerabilities appear in a short time and/or when media reports aggressively track the bugs. In both out-of-cycle instances this year, the Zeroday Emergency Response Team (ZERT), a loose affiliation of security researchers, had issued its own patch before Microsoft rushed the official fix into distribution.

But ZERT has given no indication that it will patch this, or either of the other two, Word bugs.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
How Enterprises Are Attacking the IT Security Enterprise
How Enterprises Are Attacking the IT Security Enterprise
To learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
Register for InformationWeek Newsletters
White Papers
Current Issue
Top IT Trends to Watch in Financial Services
IT pros at banks, investment houses, insurance companies, and other financial services organizations are focused on a range of issues, from peer-to-peer lending to cybersecurity to performance, agility, and compliance. It all matters.
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Join us for a roundup of the top stories on InformationWeek.com for the week of November 6, 2016. We'll be talking with the InformationWeek.com editors and correspondents who brought you the top stories of the week to get the "story behind the story."
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Flash Poll