Microsoft suffers third zero-day in a week

Article

Microsoft suffers third zero-day in a week

Bill Brenner, Senior News Writer
Users should be cautious when opening Microsoft Word email attachments, as a new zero-day flaw has been found in the program, the software giant warned Sunday.

According to the French Security Incident Response Team (FrSIRT), the problem

    Requires Free Membership to View

    Login

    SearchSecurity.com members gain immediate and unlimited access to breaking industry news, virus alerts, new hacker threats, highly focused security newsletters, and more -- all at no cost. Join me on SearchSecurity.com today!

    Michael S. Mimoso, Editorial Director

    By submitting your registration information to SearchSecurity.com you agree to receive email communications from TechTarget and TechTarget partners. We encourage you to read our Privacy Policy which contains important disclosures about how we collect and use your registration and other information. If you reside outside of the United States, by submitting this registration information you consent to having your personal data transferred to and processed in the United States. Your use of SearchSecurity.com is governed by our Terms of Use. You may contact us at webmaster@TechTarget.com.

is a memory corruption error that appears when malformed documents are handled. Attackers could exploit this to execute arbitrary commands by tricking a user into opening a specially crafted Word document, FrSIRT said.
Zero-day attacks:

Dec. 6: New zero-day affects Microsoft Word

Nov. 6: Microsoft eyes second zero-day threat in a week

Nov. 1: Zero-day attacks target Microsoft Visual Studio

Sept. 19: Zero-day attack targets IE

July 18: Microsoft plans PowerPoint zero-day patch

Jun. 16: Microsoft Excel zero-day flaw discovered

May 19: Zero-day threat targets Microsoft Word

It's the second Word flaw discovered in a week and the third Microsoft zero-day threat reported in the same period. The other flaw affects Windows Media Player.

In its blog, the Microsoft Security Response Center (MSRC) confirmed it's investigating a problem different from the Word glitch disclosed last week.

"From the initial reports and investigation we can confirm that the vulnerability is being exploited on a very, very limited and targeted basis," Scott Deacon of the MSRC said in the blog entry. "We're tracking this issue and [will] provide updates should the situation change or [if] we become aware of new information."

The flaw affects Microsoft Word 2000, 2002, 2003 and Word Viewer 2003.

Despite the appearance of two new Word zero-days, the software giant is not scheduled to release any Word patches during its monthly security update Tuesday. The update will instead focus on Windows and Visual Studio, which has also been affected by a zero-day flaw.