Microsoft disputes Word zero-day report

Symantec is warning of a new zero-day vulnerability in Microsoft Word. But Microsoft doesn't believe the flaw is new.

Updated Wednesday, Jan. 31 with additional details from Microsoft.

For the second time in a week, Symantec Corp. said it has discovered a zero-day flaw in Microsoft Word that's being actively exploited. But Microsoft claims the flaw is not new.

In the cases it has reviewed, Symantec said machines are infected with a Trojan horse that exploits the flaw when the user opens a malicious Word file.

If Symantec's findings prove accurate, this will be the fifth zero-day flaw reported in Word in recent months, and security experts are hoping Microsoft will release a comprehensive fix during its next monthly patch rollout Feb. 13.

Symantec warned of the latest zero-day in an alert sent to customers of its DeepSight threat management service. The Cupertino, Calif.-based antivirus giant said it has confirmed that three variants of Trojan.Mdropper.X are targeting an unspecified flaw in Word 2003.

Zero-day in the news:
Microsoft investigates new Word zero-day

Critical fixes for Excel, Outlook and Windows

Out-of-cycle Microsoft patch likely, experts say

"We have successfully tested these exploits on Microsoft Word 2003 running on fully patched Windows XP with Service Pack 2," Symantec said. "We strongly suggest applying strict filtering policies preventing Microsoft Office documents from untrusted sources and networks. This is a new incident in a series of similar and ongoing attacks targeting this application."

Symantec said an attacker could exploit the flaw by enticing a victim to open a malicious Word file. If the attack is successful, the attacker may be able to run malicious code in the context of the logged-in user.

Microsoft said it is investigating the issue but that in its view, the problem is not new.

"Microsoft's initial investigation shows that this is not a new vulnerability but a duplicate of an already known public issue.

Last week, Symantec reported a memory-corruption flaw in Word 2000 that was also being targeted by malicious code. Microsoft confirmed it is investigating that flaw.

This is the fifth zero-day flaw reported in Word in recent months. Microsoft has acknowledged the first four, but has not yet issued a security update to fix them. When Word fixes weren't included in the software giant's January patch rollout, security experts speculated that the company might be compelled to release an out-of-cycle patch. That hasn't happened yet, and the next scheduled patch release is Tuesday, Feb. 13.

Read more on IT risk management