The newest Word 0-day – Microsoft was aware since 21st November
New zero-day vulnerability being exploited affects to Microsoft Word 2003/2002/2000, Microsoft Word Viewer 2003, Microsoft Word 2004 Mac versions and Microsoft Works 2006/2005/2004.
Microsoft has released their Security Advisory #929433 here.
It is interesting that the CVE candidate CVE-2006-5994 assigned confirms the following information:
Phase: Assigned (20061121)
It is exactly two weeks ago.
Microsoft states that they are investigating new public reports of limited “zero-day” attacks using the vulnerability.
Redmons guys list some technical information too:
What causes the vulnerability?
When a user opens a specially crafted Word file using a malformed string, it may corrupt system memory in such a way that an attacker could execute arbitrary code.
[Italics formatting added by the author.]
October Office patches MS06-062 and MS06-060 included fixes to this type of issues too. Microsoft has fixed its Office Viewer utilities several times during the last months when patching Office products.
It is worth of noticing that switching to Word Viewer is not a workaround in organizations now.
The good news are that when Microsoft had the information about the existence of the vulnerability they had a change to start their fix and QA process earlier (if they did). When the “new vulnerability report” became public Microsoft was forced to disclose the existence of the flaw.
UPDATE: I have written related Word 0-day vulnerability FAQ document now.