[Full-disclosure] Some thoughts about MS06-027 Winword.exe timestamps



After examining new MS advisories the time stamps of executables included to MS06-027 http://www.microsoft.com/technet/security/Bulletin/MS06-027.mspx are interesting. First warnings about this 0-day vulnerability in Word were published on 19th May, referring to Internet Storm Center Diary entry. ISC made a great job during these weeks.

When looking into Security Update Information section -> Manual Client Installation Information -> Client Installation File Information) we have the following Winword.exe information:

Word 2003 - 15-May-2006
Word 2002 - 12-May-2006
Word 2000 - 16-May-2006

The updated, non-affected Winword.exe for Word version 2002 was ready (and passed some MS release tests) exactly a week before first public warnings. Like we know some targeted attacks to companies in China area has been reported.

After updating my Word installation file information of C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE says 11.5 Mb, 15th May 2006, revision 11.0.8026.0. Localized, Finnish update package was used.

New security advisory lists Shih-hao Weng of Information & Communication Security Technology Center, Taiwan (http://www.icst.org.tw/ ) as reporter of this issue. He was mentioned at Credit section of Windows Color Management Module advisory MS05-036 too. Big thanks goes to him as well.

BTW: MS06-027 lists Word Viewer 2003 (newest available) as affected too. Using viewer utilities was mentioned as one of the workarounds in May.

I'm not saying Microsoft was hiding something, I believe that attacks has been limited. Additionally, possibly Microsoft recommended target organizations not to use Word until fix is available.


- Juha-Matti

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/