The newest Word 0-day – Microsoft was aware since 21st November

New zero-day vulnerability being exploited affects to Microsoft Word 2003/2002/2000, Microsoft Word Viewer 2003, Microsoft Word 2004 Mac versions and Microsoft Works 2006/2005/2004.

Microsoft has released their Security Advisory #929433 here.

It is interesting that the CVE candidate CVE-2006-5994 assigned confirms the following information:

Phase: Assigned (20061121)

It is exactly two weeks ago.

Microsoft states that they are investigating new public reports of limited “zero-day” attacks using the vulnerability.

Redmons guys list some technical information too:

What causes the vulnerability?
When a user opens a specially crafted Word file using a malformed string, it may corrupt system memory in such a way that an attacker could execute arbitrary code.

[Italics formatting added by the author.]

October Office patches MS06-062 and MS06-060 included fixes to this type of issues too. Microsoft has fixed its Office Viewer utilities several times during the last months when patching Office products.
It is worth of noticing that switching to Word Viewer is not a workaround in organizations now.

The good news are that when Microsoft had the information about the existence of the vulnerability they had a change to start their fix and QA process earlier (if they did). When the “new vulnerability report” became public Microsoft was forced to disclose the existence of the flaw.

UPDATE: I have written related Word 0-day vulnerability FAQ document now.

  • iain

    well, i guess this just shows you know very little about CVE numbers. All the ‘assigned’ date tells you is the date that MITRE issued a block of numbers to Microsoft for the MSRC to assign since Microsoft is a designated Candidate Numbering Authority:

    So in this case all this tells you is that MITRE issued a block of numbers to Microsoft on 11/21 that contained this CVE Number. Microsoft could have been aware of the vuln before or after that date – they just happened to assign CVE 2006-5994 to it as it was next on the stack.

    In short the CVE assigned date tells you nothing about when Microsoft first became aware of the vulnerability – oh and this not Microsoft specific, it applies to any vendor who assigns their own numbers like Red Hat, Debian etc