Microsoft's Office productivity suite is swimming in waters that are infested, or dare I say, infected with zero-day exploits. At this point in time Microsoft only managed to deny the fact that attacks exploiting three new zero-day vulnerabilities in Office apply to version 2007 of its suite. Attacks impacting the newly discovered Office vulnerabilities came on the heels of the Microsoft April patch cycle.

On April 9, 2007 McAfee "saw the release of several Microsoft Office zero-day exploits in security forums. Some of these flaws may allow for remote code execution. McAfee Avert Labs is investigating all these zero-days. Today is Patch Tuesday for April. So, yes: this is yet another time that zero-day flaws have been published around a Patch Tuesday, possibly to maximize the public's exposure to these flaws until the next month's Patch Tuesday," revealed McAfee researcher Karthik Raman.

Microsoft confirmed the existence of the three vulnerabilities and announced that it is currently investigating the issues. However, the Redmond Company emphasized the fact that Office 2007 products are not impacted, following the initial analysis of the vulnerabilities. Microsoft denied the existence of attacks exploiting any of the zero-day Office vulnerabilities.

"Further research by Avert Labs indicates that all but one of the Office zero-days reported yesterday result in denial of service. There is one heap-overflow flaw that might be exploited for code execution. Avert Labs has been analyzing proof-of-concept code for a zero-day vulnerability in Microsoft Windows's handling of HLP files. This is another heap-overflow flaw that might be exploited for code execution," Raman added.