Microsoft suffers third zero-day in a week

By Bill Brenner, Senior News Writer 11 Dec 2006 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

According to the French Security Incident Response Team (FrSIRT), the problem is a memory corruption error that appears when malformed documents are handled. Attackers could exploit this to execute arbitrary commands by tricking a user into opening a specially crafted Word document, FrSIRT said.

Zero-day attacks: Dec. 6: New zero-day affects Microsoft Word Nov. 6: Microsoft eyes second zero-day threat in a week Nov. 1: Zero-day attacks target Microsoft Visual Studio Sept. 19: Zero-day attack targets IE July 18: Microsoft plans PowerPoint zero-day patch Jun. 16: Microsoft Excel zero-day flaw discovered May 19: Zero-day threat targets Microsoft Word

It's the second Word flaw discovered in a week and the third Microsoft zero-day threat reported in the same period. The other flaw affects Windows Media Player.

In its blog, the Microsoft Security Response Center (MSRC) confirmed it's investigating a problem different from the Word glitch disclosed last week.

"From the initial reports and investigation we can confirm that the vulnerability is being exploited on a very, very limited and targeted basis," Scott Deacon of the MSRC said in the blog entry. "We're tracking this issue and [will] provide updates should the situation change or [if] we become aware of new information."

The flaw affects Microsoft Word 2000, 2002, 2003 and Word Viewer 2003.

Despite the appearance of two new Word zero-days, the software giant is not scheduled to release any Word patches during its monthly security update Tuesday. The update will instead focus on Windows and Visual Studio, which has also been affected by a zero-day flaw.

Tags: Securing Productivity Applications,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Securing Productivity Applications How to detect software tampering Adobe fixes 29 flaws in Acrobat, Reader Adobe warns of critical update for Reader, Acrobat 9.1.3 Why should we place data files on a separate partition than the OS? Adobe updates ColdFusion, JRun, Flex Serious Adobe Flash flaw being exploited Adobe acknowledges serious Flash zero-day vulnerability Adobe issues security advisory for Flash zero-day flaw When to use the service features of the Metasploit hacking tool How to manage patches for Adobe

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary sheepdip  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary