3rd Zero-Day MS Word Bug in 9 Days

Just a couple of days ago, a hole was found in WMP (see post), and there have been 3 "zero-day" MS Word Bugs reported within the last 9 days. Microsoft "spokespersons" have had a busy week, to say the least, explaining all this to the media. The new unpatched bug was reported Wednesday, and exploit proof-of-concept code has been posted on a Web site.

Here's an excerpt from www.informationweek.com (to read the full story, please click the Post Title above.

By Gregg Keizer
InformationWeek
Dec 14, 2006 01:55 PM

Microsoft Thursday said it was investigating yet another Word vulnerability, the third in the last nine days, while security researchers warned that exploit code to take advantage of it was already spotted in the wild.

The new unpatched bug, or "zero-day" vulnerability, was reported Wednesday by eEye Digital Security, which warned users that exploit proof-of-concept code had been publicly posted on the milw0rm.com Web site.

"Because details are at a minimum for the other two active zero-day vulnerabilities originally reported by Microsoft, it is presumed that this disclosed vulnerability is actually a third and separate vulnerability," the eEye alert read.

A Microsoft spokesperson confirmed that the company's security team was looking into the new problem.

"Microsoft is investigating new public reports of a possible vulnerability in Microsoft Word [and] will continue to investigate the public reports to help provide additional guidance for customers as necessary," the spokesperson said in an e-mail. "Upon completion of this investigation, Microsoft will take appropriate action, [which] may include providing a security update through our monthly release process or providing an out-of-cycle security update, depending on customer needs."

According to eEye, Word 2000, 2002, and 2003 are affected, as is Word Viewer 2003. A successful exploit of the bug could let an attacker seize control of the PC.