An exploit for Microsoft Word appeared on the vulnerability research site Milw0rm earlier this week, leaving the software giant with a total of three still-unpatched vulnerabilities to fix.
A text file that accompanied the exploit described it as a two-stage proof-of-concept Word document. Security firms Symantec--the owner of SecurityFocus--and McAfee both confirmed the exploitability of the security bug, with McAfee noting that the issue appears to match a trend of publishing flaw information near Microsoft's Tuesday release of software updates.
"Although one could argue that the December 12 release of a new Microsoft flaw was only a coincidence, it fits the trend of the disclosure of Microsoft vulnerabilities on or just after a Patch Tuesday," McAfee stated in its blog.
Flaws in Microsoft's Office productivity suite have hammered the company in 2006, a trend noted by SecurityFocus in July. Now, there appears to be an end-of-year rush on: Since Microsoft warned of "limited" attacks using a flaw in Word on December 6, two other security issues in the application's handling for documents have also been disclosed. Such flaws are the vector of choice for targeted Trojan horse attacks that appear to be emanating from China.
Security professionals generally agree that PC users should take care in opening any untrusted content--be it a Web page, Word document, or program file.
Posted by: Robert Lemos