Details on Three Unpatched MS Word Vulnerabilities

There are three different vulnerabilities affecting Microsoft Word, all of them identified in the course of a single week. Symantec has additionally warned that Proof-of-Concept code has been published and is available for download in the wild increasing the risks to MS Word users.

As of yet, Microsoft has still to issue security patches addressing these vulnerabilities. The first Word flaw was reported by the Redmond Company on December 6 in Security Advisory 929433. A successful exploit targeting this vulnerability is synonymous with permitting an attacker to remotely execute code on a compromised system. Symantec revealed that it has already introduced a heuristic detection for this vulnerability.

The second Word flaw was confirmed by the Redmond Company on December 10. This too allows for remote code execution. "We have added detection for the malicious code that exploits this vulnerability as Trojan.Mdropper.U. A heuristic detection is currently being worked on for the vulnerability itself and will be released as soon as possible," stated Symantec.

The Proof-of-Concept for the third Word vulnerability was published on December 12. Symantec Security response has created the Bloodhound.Exploit.108 heuristic detection for this vulnerability. "Unlike the two previous vulnerabilities, this one resides in the way Microsoft Word handles data describing the text formatting in a document (such as which font to use, if the text is bold or in italics, etc.). By modifying certain properties within the data structure used to contain this information, an attacker can cause code to execute within the Microsoft Word process. This could allow it to drop malicious code onto the targeted system, or install a back door," added Symantec.

Microsoft has scheduled the next security update cycle for January 9, 2007, but the context of the three Word vulnerabilities make an out of band update release a reasonable possibility.