Update 14 February 2007

Microsoft's set of monthly patches 13 February addresses several vulnerabilities in Word. More information in MS07-014

Update 10 January 2007

Microsoft's set of monthly patches 10 January does not include fixes for any of the published vulnerabilities in Word.

Update 12 December 2006

Microsoft's set of monthly patches 12 December does not include fixes for any of these two vulnerabilities.

The latest week two day zero vulnerabilities have been discovered in Microsoft Word (and Word viewer).

Both of these are critical and may cause malicious code execution when a Word document is opened.

The two vulnerabilites are dicussed in more detail in the following links to relevant information on Microsoft's web site (the links open separate browser windows):

• Microsoft Security Advisory (929433) (5 December)
• Microsoft Security Response Center Blog! (12 December)

At the time of this writing no security patches that address these vulnerabilities are available from Microsoft. Whether any patch(es) will be available as of Mircosoft's usual monthly patch issue later this week remains to be seen. Particularly the second vulnerability mentioned above is not likely to be included, as it is so new that any patch probably will not confirm to Microsoft's testing regime.

Exploit code that utilize these vulnerabilities are publised.

Recommendations

Norman recommends that users are more than usually careful in opening Word-based email attachments from untrusted sources as well as unexpected email attachments from trusted sources. Opening Word documents available from web sites should also only be done with the utmost care.

Updates

More information will be published on this web page when available.