Microsoft has confirmed that a new 0 day vulnerability has been discovered in their Microsoft Word product. Versions Word 2000, Word 2002, Word 2003 and the Word Viewer 2003 are affected. Microsoft Word 2007 is not affected by the vulnerability. For more information see the following Microsoft Security Advisory. This vulnerability follows on from another 0 day Microsoft Word vulnerability discovered last week which Microsoft announced will not be patched in this month’s release of patches. Both of these vulnerabilities are being actively exploited at the moment in attacks targeting specific organisations. That is not to say however that a more widespread attack could not happen. The SecurityTeam Blog has a pretty comprehensive FAQ on these issues. The Internet Storm Centre has a diary entry on the above and US CERT has also issued an advisory.
And if that was not enough to keep you awake at night, the folks at eEye Security have launched their Zero Day Tracker which lists current 0 day vulnerabilities by order of days of exposure.
Yet again a clear demonstration that technology alone does not provide security and that we need to ensure a comprehensive security awareness programme and vulnerability management process is in place to protect our information.