BugBlog's Bug of the Month
Every month the BugBlog picks its Bug of the Month, representing the most significant bug found in the past month. Sometimes, the bug will be the one which could potentially cause the most damage; sometimes it will be the bug which affects the most users. And sometimes, it will be the bug that is just the most interesting bug. This bug will be selected either from the free Bug of the Day, or from the subscription-only BugBlog Plus.
This month the Bug of the Month goes to Microsoft Word, in honor of the three zero-day bugs uncovered this month. The first one showed up in the December 6 BugBlog:
There is a new zero-day attack against Microsoft Word 2000, XP, 2003, Word for the Mac, and Microsoft Works. Users could only be affected if they opened up a maliciously designed Word document. Microsoft itself claims in their security advisory that attacks have been limited, but hostile code is circulating on various malware sites. We are a week away from the next Patch Tuesday, so I'm guessing that Microsoft is working fast to get a fix ready. Read more at http://www.microsoft.com/technet/security/advisory/929433.mspx.
I guessed wrong, for there was no fix on Patch Tuesday in November. The next one was the day before Patch Tuesday, on December 11:
There is a new zero-day attack against Microsoft Word, apparently unrelated to the zero-day attack discussed in the 12.6 BugBlog. It affects Word 2000, 2002, 2003, and the Word Viewer 2003. However, the brand new Word 2007 is not affected. (A cynical person would say this is all a marketing ploy to get people to upgrade. Luckily, I'm not cynical.) The issue is being actively exploited, according to Microsoft. At this point, it does not appear that there will be a fix for either of these issues in time for the 12/12 Patch Tuesday Security Releases. See http://blogs.technet.com/msrc/archive/2006/12/10/new-report-of-a-word-zero-day.aspx for more.
The third one was listed in the BugBlog Plus on December 15:
A third zero-day bug has been discovered in Microsoft Word 2000, XP, and 2003. Microsoft itself hasn't 'fessed up on this one (they are probably working on fixes for the first two) but McAfee talks about it, calling it the Microsoft Word 0-Day Vulnerability III, at http://vil.nai.com/vil/content/v_vul27264.htm. A zero-day bug means that code to exploit it is already circulating.
There was one other BugBlog Plus item related to it, on December 13:
Note that Microsoft's Patch Tuesday releases for December did not include fixes for the two zero-day exploits against Microsoft Word. NASA is not waiting -- they are blocking all Microsoft Word email attachments until patches are released. Read the whole story at http://www.msnbc.msn.com/id/16095705/.
Why this bug? First, because it is in Microsoft Word, the dominant word-publishing software in the market. Word docs are ubiquitous in the publishing industry and in business as a whole. Second, there are three different bugs, with malicious code circulating for each one. Third, it looks like it will be about a month before Microsoft will have the fixes ready. Luckily for consumers, the second Tuesday in January is the relatively early January 9th. So for these reasons, Microsoft gets another Bug of the Month award.
Previous Bugs of the Month
December 2006: MIcrosoft XML ActiveX Control Bug
November 2006: Microsoft ActiveX Bug
October 2006: Microsoft VML Bug
September 2006: Sony Batteries
August 2006: Microsoft Windows Genuine Advantage
July 2006: Yahoo! Mail
June 2006: Symantec Enterprise AV
May 2006: Microsoft Wins Special Lifetime Achievement Bug Award
April 2006: Adobe Macromedia Flash Player
March 2006: Microsoft Windows Media Player
Feb 2006: Apple QuickTime
Jan 2006: Microsoft WMF Bug
Dec 2005: Sony's Secret DRM Scheme Leaves Users Exposed
November 2005: Four Separate Bugs Leave Windows Open to Takeover
October 2005: Acrobat Screws Up MS Word
September 2005: Apple Security Update Breaks 64-bit Apps
August 2005: Cisco IOS Vulnerable to IPv6 bug
July 2005: RealNetworks Fixes Four Bugs in Their Media Player
June 2005: Flawed Rollout for Netscape 8
May 2005: TCP/IP Fix for Windows
April 2005: Denial of Service against Symantec Norton AntiVirus
March 2005: IDN Spoofing Bug
February 2005: Windows Animated Cursor Bug
January 2005: Windows Firewall Problems with Dial-up connections
The Bug of the Month is also posted at Blogcritics.org
Copyright 2003-2007 BJK Research LLC