A new zero-day vulnerability has been publicly released. Because details are at a minimum for the other two active zero-day vulnerabilities originally reported by Microsoft, it is presumed that this disclosed vulnerability is actually a third and separate vulnerability.
(The following offsets are based on WordView.exe version 11.0.8026.0.)
The field at offset 0×274 in 12122006-djtest.doc (0×23000000) is passed into sub_304536D3 as its 5th argument by sub_301A36CD. This number is reduced at 30453712 by a value so far only observed to be 1, then eventually multiplied by 4 at 30193FD6, resulting in the observed 0x8BFFFFFC value which is then added to a pointer at 3019400B to produce the destination passed to memmove. Although the destination pointer produced by 12122006-djtest.doc causes a crash, the field mentioned above could be controlled to target any location, relative to the address at which the data "AAAA" (from offset 0x27E4 in the file) is loaded into memory.
As more information becomes available, this ZDT entry will be updated along with the other two active Word zero-day vulnerabilities.
Word Viewer 2003
Word v.X for Mac (reported but unverified)
BeyondTrust Prevention and Detection:
BeyondTrust's Blink® Personal Edition protects from this vulnerability.
BeyondTrust's Blink® Professional Edition protects from this vulnerability.
BeyondTrust's Retina® Network Security Scanner scans devices to detect for this vulnerability.
Microsoft Security Bulletin (929434)
Currently there is no mitigation for this vulnerability. Word users are urged to use care when opening attachments from unknown parties or websites.
Links:First Public PoC Code Disclosure (Denial of Service)