Third MS Word Code Execution Exploit Posted

Exploit code for a third, unpatched vulnerability in Microsoft Word has been posted on the Internet, adding to the software maker's struggles to keep up with gaping holes in its popular word processing program. The attack code, available at, contains sample Word documents that have been rigged to launch code execution exploits when the file is opened.

Microsoft has not yet publicly acknowledged the vulnerability, but the United States Computer Emergency Readiness Team issued an alert to warn that Word documents can be manipulated to trigger code execution of denial-of-service attacks. "Data used by Microsoft Word to construct a destination address for a memory copy routine is embedded within a Word document itself. If an attacker constructs a Word document with a specially crafted value used to build this destination address, then that attacker may be able to overwrite arbitrary memory," the US-CERT warned.

An attacker could trigger the vulnerability by convincing a user to open a rigged Word document. Because exploit code is publicly available, the risk of a widespread attack is heightened.

View: The full story
News source: eWeek

Report a problem with article
Previous Story

Sony, Toshiba, NEC Develop Chip Platform

Next Story

Fewer Free Skype Phone Calls for U.S., Canada


Commenting is disabled on this article.

One thing I don't like about publicizing vulnerabilities is that it tells hackers where and what to look for.

Chances are that security companies knows something that hackers don't even know it exist................yet.

So, I would prefer that security companies keep their mouths shut and keep it between them and Microsoft (or insert software company).

I know they do it to publicize it only if and when MS decides to ignore them. But only if the security threat is considered to be high, not medium or low.

I also question the publicizing of the threats as it almost seems like that they love being on the spotlight within the media.

The attack code, available at
Microsoft has not yet publicly acknowledged the vulnerability...
Maybe they will, now.