14 DAY TRIAL // Attack code exploiting a Microsoft Word vulnerability is available in the wild. This is the third example of proof-of concept targeting a vulnerability across Microsoft Word 2000, Microsoft Word 2002, Microsoft Office Word 2003, Microsoft Word Viewer 2003, Microsoft Word 2004 for Mac, and Microsoft Word v. X for Mac, as well as Microsoft Works 2004, 2005, and 2006.
On December 5, Microsoft published Security Advisory (929433) informing that it was aware of limited zero-day attacks affecting the Word vulnerability. Although a successful exploit relies on users interaction and is bases on social engineering, the vulnerability is of a critical nature as it allows for remote code execution. David Marcus, security research and communications manager with McAfee Inc.'s Avert Labs, noted that a successful exploit will lead to the execution of malicious code on the victim's compromised machine.
Marcus confirmed Microsoft's reports of limited and targeted exploit attempts exemplifying with a high-profile company whose members received malicious emails containing compromised Word document attachments.
Microsoft has released seven security bulletins in December but none of them address the Word vulnerability described in Security Advisory (929433). "The patches do not contain a fix for the zero day Microsoft Word vulnerability announced last week. Microsoft is believed to still be investigating that issue," commented Sophos. In the context of an increasing volume of attacks, the most probable scenario is that Microsoft will deliver an out of band security update and will not wait until January to issue a patch.