14 DAY TRIAL // Microsoft is right on track to collecting a fist full of unpatched Word vulnerabilities. The Redmond Company has confirmed yesterday the existence of another Office Word zero-day vulnerability that comes on top of three existing flaws in the company's text editing product that are still to be patched.
Secunia has labeled the Word 2000 zero-day as highly critical, and has warned that the vulnerability is being actively exploited. Symantec has identified a backdoor Trojan that is involved with the exploits of the Word 2000 zero day. Trojan.Mdropper.W is using the Microsoft Word 2000 Unspecified Code Execution Vulnerability in order to infect systems via malformed Word 2000 files.
"We are currently investigating a report of a posting of proof of concept code which could allow an attacker to execute code on a user's machine in their security context by convincing them to open a specially-crafted Word document. We are aware of very limited, targeted attacks attempting to use the vulnerability reported," said Alexandra Huft, Security Program Manager.
The Redmond Company has informed that the zero-day vulnerability is under investigation, but failed to deliver any additional details past the fact that the flaw is limited to Word 2000. "The vulnerability cannot be exploited on Word 2003, Word Viewer 2003, Word 2007, and Word 2004 for Mac, Word v. X for Mac, Word 2002 or Works 2004, 2005, or 2006," stated Microsoft, adding that a system can get compromised only if the user opens a compromised Word 2000 file.