Every month the BugBlog picks its Bug of the Month, representing the most significant bug found in the past month. Sometimes, the bug will be the one which could potentially cause the most damage; sometimes it will be the bug which affects the most users. And sometimes, it will be the bug that is just the most interesting bug. This bug will be selected either from the free Bug of the Day, or from the subscription-only BugBlog Plus.
This month the Bug of the Month goes to Microsoft Word, in honor of the three zero-day bugs uncovered this month. The first one showed up in the December 6 BugBlog:
There is a new zero-day attack against Microsoft Word 2000, XP, 2003, Word for the Mac, and Microsoft Works. Users could only be affected if they opened up a maliciously designed Word document. Microsoft itself claims in their security advisory that attacks have been limited, but hostile code is circulating on various malware sites. We are a week away from the next Patch Tuesday, so I'm guessing that Microsoft is working fast to get a fix ready. Read more at http://www.microsoft.com/technet/security/advisory/929433.mspx.
I guessed wrong, for there was no fix on Patch Tuesday in November. The next one was the day before Patch Tuesday, on December 11:
There is a new zero-day attack against Microsoft Word, apparently unrelated to the zero-day attack discussed in the 12.6 BugBlog. It affects Word 2000, 2002, 2003, and the Word Viewer 2003. However, the brand new Word 2007 is not affected. (A cynical person would say this is all a marketing ploy to get people to upgrade. Luckily, I'm not cynical.) The issue is being actively exploited, according to Microsoft. At this point, it does not appear that there will be a fix for either of these issues in time for the 12/12 Patch Tuesday Security Releases. See http://blogs.technet.com/msrc/archive/2006/12/10/new-report-of-a-word-zero-day.aspx
The third one was listed in the BugBlog Plus on December 15:
A third zero-day bug has been discovered in Microsoft Word 2000, XP, and 2003. Microsoft itself hasn't 'fessed up on this one (they are probably working on fixes for the first two) but McAfee talks about it, calling it the Microsoft Word 0-Day Vulnerability III, at http://vil.nai.com/vil/content/v_vul27264.htm. A zero-day bug means that code to exploit it is already circulating.
There was one other BugBlog Plus item related to it, on December 13:
Note that Microsoft's Patch Tuesday releases for December did not include fixes for the two zero-day exploits against Microsoft Word. NASA is not waiting — they are blocking all Microsoft Word email attachments until patches are released. Read the whole story at http://www.msnbc.msn.com/id/16095705/.
Why this bug? First, because it is in Microsoft Word, the dominant word-publishing software in the market. Word docs are ubiquitous in the publishing industry and in business as a whole. Second, there are three different bugs, with malicious code circulating for each one. Third, it looks like it will be about a month before Microsoft will have the fixes ready. Luckily for consumers, the second Tuesday in January is the relatively early January 9th. So for these reasons, Microsoft gets another Bug of the Month award.