Exploit Code Targets Third Microsoft Zero-Day Word Bug

The new unpatched bug, or "zero-day" vulnerability, was reported Wednesday by eEye Digital Security, which warned users that exploit proof-of-concept code had been publicly posted on the milw0rm.com Web site.

"Because details are at a minimum for the other two active zero-day vulnerabilities originally reported by Microsoft, it is presumed that this disclosed vulnerability is actually a third and separate vulnerability," the eEye alert read.

A Microsoft spokesperson confirmed that the company's security team was looking into the new problem.

"Microsoft is investigating new public reports of a possible vulnerability in Microsoft Word [and] will continue to investigate the public reports to help provide additional guidance for customers as necessary," the spokesperson said in an e-mail. "Upon completion of this investigation, Microsoft will take appropriate action, [which] may include providing a security update through our monthly release process or providing an out-of-cycle security update, depending on customer needs."

According to eEye, Word 2000, 2002, and 2003 are affected, as is Word Viewer 2003. A successful exploit of the bug could let an attacker seize control of the PC.

This is the third zero-day Word flaw disclosed since Dec. 5; none has been patched by Microsoft, which issued its December updates Tuesday without repairing the popular word processor.

Although out-of-cycle patches are rare—Microsoft has issued only two this year—the company typically responds faster when a number of vulnerabilities appear in a short time and/or when media reports aggressively track the bugs. In both out-of-cycle instances this year, the Zeroday Emergency Response Team (ZERT), a loose affiliation of security researchers, had issued its own patch before Microsoft rushed the official fix into distribution.

But ZERT has given no indication that it will patch this, or either of the other two, Word bugs.