The vulnerability described in
CVE-2007-0870 (BID 22567) appears to be the ninth to affect Microsoft Office in recent months, and affects all versions of Microsoft Office 2000 and XP. A Microsoft security advisory confirms that the company has received reports of limited, targeted attacks against Word and that remote code execution is indeed possible. The announcement comes less than 24 hours after the company released its monthly set of patches for February 2007.
This week, Microsoft patched eight issues with Word or other Microsoft Office components, as described in MS07-014 and MS07-015. Since spring 2006, Microsoft's Office components have been increasingly exploited by attackers targeting specific companies or organizations, and reports of new zero-day attacks are becoming more frequent. Despite this week's set of Microsoft security fixes, several issues remain unpatched. SANS has a chart summarizing "the missing Microsoft patches" and McAfee has a blog entry about the newest Word threat.
Reports of this latest threat indicate that it is a targeted zero-day attack and very limited in scope, which means it is highly effective at avoiding detection in traditional business environments. Organizations and individuals should exercise extreme caution when opening Microsoft Office documents from unknown sources, and consider alternatives to help mitigate the threat in the interim.
Posted by: Kelly Martin