Security researchers spotted an attack this week that exploits a vulnerability in Microsoft Word patched just days before.
Symantec reported mid-week that it had obtained a suspicious Word document that crashed every version of the application except the newest, Word 2007, when opened. After it examined the document, Symantec found that the document included shell code and three pieces of malware.
Among its more surprising findings: Symantec found that the document had been created with the edition of Word included with Office for Mac 2004.
Just a few days earlier, Microsoft had issued a patch that closed a critical vulnerability in multiple editions of the popular word processor, including Word 2000, Word XP and Word for the Mac. Symantec put the two together. "Taking a closer look at that vulnerability, we confirmed that this document was in fact exploiting the same vulnerability," researcher Orla Cox said on the company's security response blog.
Even though Microsoft in its advisory acknowledged that attacks had already been seen in the wild, Symantec remarked on the finding. "In our experience, the exploitation of such vulnerabilities tends to be very targeted in nature," said Cox, when talking about the unusual discovery.
It's not unusual, however, for exploits to appear soon after a vendor posts a patch. The practice, dubbed "Exploit Wednesday" to match the "Patch Tuesday" moniker used to describe Microsoft's monthly patch day, has been debunked by some, however, as part myth. Hackers don't actually stockpile code and synchronize its release with the appearance of patches, a researcher at Symantec rival McAfee said in June after releasing the results of a survey of 200 zero-day Windows vulnerabilities.
Updates to the Windows versions of Word can be obtained via Microsoft Update or Office Update, while the patch for the Mac edition is included in the 11.3.8 update to Office 2004 available on the Web site of Microsoft's Macintosh development team.