Microsoft has acknowledged another bug in Word is being used by hackers to commandeer computers, just hours after a Microsoft security manager said that the week's updates had patched all in-the-wild threats against Office applications.
On Tuesday, Microsoft released 12 security bulletins with patches for 20 vulnerabilities, including six for Word and one each for PowerPoint and Excel.
"All the zero-day [vulnerabilities] in Word and Office were patched Tuesday," Mark Griesi, security programme manager for the Microsoft Security Response Center (MSRC), said.
Griesi said the status of the bugs and their patches – most of which were being used by cyber criminals in targeted attacks – was confusing. "Some of that is because in the time since the vulnerabilities began appearing, there were other reports on new zero-days," said Griesi. "But those were not new zero-days."
Instead, Microsoft determined that in-the-wild exploits weren't working, which applies to the newest Word flaw, or that the bugs being used had already been disclosed.
On 9 February, McAfee researchers said that they had found another un-patched bug in Microsoft Word 2000. That same day, Microsoft reported that its analysis indicated the flaw could only crash the word processor. Such distributed denial of service (DDoS) vulnerabilities are considered less threatening, since they may not let the attacker run his own code on the compromised machine.
As it turns out, however, Microsoft was wrong. "[Our] analysis shows that this vulnerability is likely not limited to denial of service and that remote code execution may in fact be possible," Craig Schmugar, virus research manager at McAfee's Avert Labs, wrote in a warning.