MSRC Blog: I wanted to try and summarize/clarify for everyone the three current Word Zero-Day issues that have been reported to Microsoft.

First, I wanted everyone to know that we’re actively investigating and monitoring all of these issues through our Software Security Incident Response Process and we are working on developing and testing security updates for the three issues, which we’ll release as part of our release process once they’ve reached an appropriate level of quality.

1.      CVE-2006-5994 – This issue is discussed in Microsoft Security Advisory 929433.  Our ongoing monitoring indicates that this is subject to very limited and targeted attacks.

2.      CVE-2006-6456 – This issue is discussed in our blog posting from December 10. Our ongoing monitoring indicates that this also is currently subject to very limited and targeted attacks.  Our investigation so far indicates that this issue affects Word 2000, Word 2002, Word 2003 and Word Viewer 2003.

3.      CVE-2006-6561 –  This is a new issue. At this time we’re aware only of Proof of Concept code: we’re not aware of any attacks at this time. Our initial investigation indicates that this issue affects Word 2000, Word 2002 and Word Viewer 2003.

The guidance, as far as steps that customers can take to protect themselves, that we’ve provided in Microsoft Security Advisory 929433 applies to all three issues. Our teams are continuing their research to find additional workarounds and if we have new information we’ll post that updated information in the advisory.

If you think you may have been impacted by this issue we definitely encourage you to contact Product Support Services. You can contact Product Support Services in North America for help with security update issues or viruses at no charge using the PC Safety line (1866-PCSAFETY) and international customers by using any method found at this location: http://support.microsoft.com/security