[ISN] No fix yet for zero-day flaw in Word

From: InfoSec News (alerts@private)
Date: Thu Dec 07 2006 - 22:27:45 PST


By Joris Evers
Staff Writer, CNET News.com
December 7, 2006

As part of its monthly patch cycle, Microsoft plans to release on 
Tuesday six security bulletins, at least two of them deemed "critical."

Five of the security bulletins will include fixes for vulnerabilities in 
Windows, Microsoft said in a notice on its Web site Thursday. The sixth 
bulletin will offer an update for Visual Studio, it said.

Microsoft has not scheduled a patch for Office. Earlier this week, it 
warned that a yet-to-be-patched security hole in multiple versions of 
Word--part of the Office suite--is being exploited in cyberattacks. The 
software maker is working on a security update, but apparently needs 
more time.

The company did not specify how many flaws Tuesday's updates will 
address or in which components of Windows the holes lie. The Visual 
Studio update could offer a patch for a zero-day vulnerability in the 
developer tools that was made public last month.

The company has tagged the security hole in the developer tool as 
"critical," its highest risk rating. Critical vulnerabilities typically 
can allow a worm to spread or allow a Windows system to be fully 
compromised with minor or no interaction from the person using it. 
However, it did not offer details on exactly what will be fixed in 
Visual Studio.

Also on Tuesday, Microsoft will release an updated version of its 
Windows Malicious Software Removal Tool. The program detects and removes 
common malicious code placed on computers.

Last month, the software maker delivered six security bulletins, five of 
which were described as critical.

Microsoft gave no further information on the upcoming bulletins, other 
than stating that some of the Windows fixes may require restarting the 
computer or server.

Subscribe to InfoSec News

This archive was generated by hypermail 2.1.3 : Thu Dec 07 2006 - 22:40:09 PST