Every month the BugBlog picks its Bug of the Month, representing the most significant bug found in the past month. Sometimes, the bug will be the one which could potentially cause the most damage; sometimes it will be the bug which affects the most users. And sometimes, it will be the bug that is just the most interesting bug. This bug will be selected either from the free Bug of the Day, or from the subscription-only BugBlog Plus.
This month the Bug of the Month goes to Microsoft Word, in honor of the three zero-day bugs uncovered this month. The first one showed up in the December 6 BugBlog:
There is a new zero-day attack against Microsoft Word 2000, XP, 2003, Word for the Mac, and Microsoft Works. Users could only be affected if they opened up a maliciously designed Word document. Microsoft itself claims in their security advisory that attacks have been limited, but hostile code is circulating on various malware sites. We are a week away from the next Patch Tuesday, so I'm guessing that Microsoft is working fast to get a fix ready. Read more at http://www.microsoft.com/technet/security/advisory/929433.mspx.I guessed wrong, for there was no fix on Patch Tuesday in November. The next one was the day before Patch Tuesday, on December 11:
There is a new zero-day attack against Microsoft Word, apparently unrelated to the zero-day attack discussed in the 12.6 BugBlog. It affects Word 2000, 2002, 2003, and the Word Viewer 2003. However, the brand new Word 2007 is not affected. (A cynical person would say this is all a marketing ploy to get people to upgrade. Luckily, I'm not cynical.) The issue is being actively exploited, according to Microsoft. At this point, it does not appear that there will be a fix for either of these issues in time for the 12/12 Patch Tuesday Security Releases. See http://blogs.technet.com/msrc/archive/2006/12/10/new-report-of-a-word-zero-day.aspxfor more. The third one was listed in the BugBlog Plus on December 15:
Continued on the next page
Page 1 — Page 2
Article comments