BJK Research

BugBlog's Bug of the Month

Every month the BugBlog picks its Bug of the Month, representing the most significant bug found in the past month. Sometimes, the bug will be the one which could potentially cause the most damage; sometimes it will be the bug which affects the most users. And sometimes, it will be the bug that is just the most interesting bug. This bug will be selected either from the free Bug of the Day, or from the subscription-only BugBlog Plus.

This month the Bug of the Month goes to Microsoft Word, in honor of the three zero-day bugs uncovered this month. The first one showed up in the December 6 BugBlog:

There is a new zero-day attack against Microsoft Word 2000, XP, 2003, Word for the Mac, and Microsoft Works. Users could only be affected if they opened up a maliciously designed Word document. Microsoft itself claims in their security advisory that attacks have been limited, but hostile code is circulating on various malware sites. We are a week away from the next Patch Tuesday, so I'm guessing that Microsoft is working fast to get a fix ready. Read more at http://www.microsoft.com/technet/security/advisory/929433.mspx.

I guessed wrong, for there was no fix on Patch Tuesday in November. The next one was the day before Patch Tuesday, on December 11:

There is a new zero-day attack against Microsoft Word, apparently unrelated to the zero-day attack discussed in the 12.6 BugBlog. It affects Word 2000, 2002, 2003, and the Word Viewer 2003. However, the brand new Word 2007 is not affected. (A cynical person would say this is all a marketing ploy to get people to upgrade. Luckily, I'm not cynical.) The issue is being actively exploited, according to Microsoft. At this point, it does not appear that there will be a fix for either of these issues in time for the 12/12 Patch Tuesday Security Releases. See http://blogs.technet.com/msrc/archive/2006/12/10/new-report-of-a-word-zero-day.aspx for more.

The third one was listed in the BugBlog Plus on December 15:

A third zero-day bug has been discovered in Microsoft Word 2000, XP, and 2003. Microsoft itself hasn't 'fessed up on this one (they are probably working on fixes for the first two) but McAfee talks about it, calling it the Microsoft Word 0-Day Vulnerability III, at http://vil.nai.com/vil/content/v_vul27264.htm. A zero-day bug means that code to exploit it is already circulating.

There was one other BugBlog Plus item related to it, on December 13:

Note that Microsoft's Patch Tuesday releases for December did not include fixes for the two zero-day exploits against Microsoft Word. NASA is not waiting -- they are blocking all Microsoft Word email attachments until patches are released. Read the whole story at http://www.msnbc.msn.com/id/16095705/.

Why this bug? First, because it is in Microsoft Word, the dominant word-publishing software in the market. Word docs are ubiquitous in the publishing industry and in business as a whole. Second, there are three different bugs, with malicious code circulating for each one. Third, it looks like it will be about a month before Microsoft will have the fixes ready. Luckily for consumers, the second Tuesday in January is the relatively early January 9th. So for these reasons, Microsoft gets another Bug of the Month award.

Previous Bugs of the Month

December 2006: MIcrosoft XML ActiveX Control Bug

November 2006: Microsoft ActiveX Bug

October 2006: Microsoft VML Bug

September 2006: Sony Batteries

August 2006: Microsoft Windows Genuine Advantage

July 2006: Yahoo! Mail

June 2006: Symantec Enterprise AV

May 2006: Microsoft Wins Special Lifetime Achievement Bug Award

April 2006: Adobe Macromedia Flash Player

March 2006: Microsoft Windows Media Player

Feb 2006: Apple QuickTime

Jan 2006: Microsoft WMF Bug

Dec 2005: Sony's Secret DRM Scheme Leaves Users Exposed

November 2005: Four Separate Bugs Leave Windows Open to Takeover

October 2005: Acrobat Screws Up MS Word

September 2005: Apple Security Update Breaks 64-bit Apps

August 2005: Cisco IOS Vulnerable to IPv6 bug

July 2005: RealNetworks Fixes Four Bugs in Their Media Player

June 2005: Flawed Rollout for Netscape 8

May 2005: TCP/IP Fix for Windows

April 2005: Denial of Service against Symantec Norton AntiVirus

March 2005: IDN Spoofing Bug

February 2005: Windows Animated Cursor Bug

January 2005: Windows Firewall Problems with Dial-up connections

The Bug of the Month is also posted at Blogcritics.org

 

 

 

Copyright 2003-2007 BJK Research LLC

BugBlog archives:

March 07
Vista Special Report
February 07
January 2007
December 06
November 06
October 06
September 06
August 06
July 06
June 06
May 06
April 06
March 06
February 06
January 06

See the sitemap for 2003-2005 archives.