Three's company with MS Word zero-day flaws

No sooner did I finish writing "Is MS Office becoming a zero-day liability all year long" did a second zero-day vulnerability appear for Microsoft Word.  But before I even managed to catch my breath a third zero-day vulnerability for Microsoft Word appeared.

No sooner did I finish writing "Is MS Office becoming a zero-day liability all year long" did a second zero-day vulnerability appear for Microsoft Word.  But before I even managed to catch my breath a third zero-day vulnerability for Microsoft Word appeared.  These zero-day vulnerabilities affect all recent versions of Word for Windows including the free Word player prior to Word 2007 but two of the three vulnerabilities affect the Mac as well.  The only bright spot for Microsoft is that none of these three MS Word vulnerabilities affect the newly released Word 2007 which went through a strenuous code audit under Microsoft's SDL (Security Development Lifecycle) program.

I suppose one could be cynical and wonder why Microsoft wouldn't apply the same kind of audit at least on its existing Office 2003 suite and if sales of Office 2007 has anything to do with the decision not to.  Whatever the reason, these kinds of triple threat zero-day flaws can't be doing wonders for Microsoft image regardless of the fact that it's technically on older products.  At this point in time, pre-2007 Office products still make up more than 99.9% of the MS Office market share and Microsoft needs to do something to clean up their act.

It could be viewed in a pathetic kind of way that three zero-day vulnerabilities for MS Word at one time isn't really any more dangerous than one zero-day vulnerability for Word since any one of them can crack in to your computer but it does make it hard on keeping up with the antivirus and network IDS definitions.  This also happened soon enough that all three exploits may get patched in the January patch Tuesday update.  Other than keeping your gateway AV and IDS defenses up to date for now, there is really not much else you can do since you can get infected files from people you don't know as well as people you do know.  A good rule of thumb is to avoid opening any kind of unsolicited document files whether it's an image or document attachment from people you know or don't know.  If you didn't ask for it, don't open it until you confirm with the sender you know and trust that it was meant for you to open.