Word Trifecta

Hey Readers, just wanted to give you a couple of site updates for research.eeye.com, and most notably the zero-day tracker.  We'll start with the good news...

Good News: eEye Research has added another vulnerability to its upcoming advisories page.  The vulnerability is locally-exploitable on Windows which will allow for arbitrary code to be executed with greater than SYSTEM-level privileges.

Good News: eEye Research has published its Patch Disclosure Analysis for the month of December.  You'll find good insight into what was released this month from Redmond, as well as some extra mitigation that wasn't found in the bulletins.

Good News: The eEye Research blog now accepts anonymous comment without needing a typepad account.  Feel free to post any comments you have to the blog or to skunkworks@eeye.com directly.

BAD NEWS: eEye Research has added another zero-day vulnerability for Microsoft Word today from a recent proof of concept posted by Disco Jonny.  Because there is no public information regarding the previous two zero-day vulnerabilities (covered here and here), this vulnerability is presumed to be a separate vulnerability altogether.  Therefore, this vulnerability represents the third active zero-day affecting Microsoft Word at this very instant.

As usual, feel free to direct any questions regarding research.eeye.com or the eEye Research Team in general to skunkworks@eeye.com.

eEye ZDT - Day 2

Thanks for the feedback everyone on the new eEye Zero-Day Tracking site.  As requested, we have added RSS support to the site which will help everyone keep track of this resource via their favorite RSS reader.  Also, we have added the new Microsoft Word zero-day.  Details are still at a minimum for this one, but keep it tuned here for the latest information regarding this and all zero-days as they happen.  As usual, send us any questions or comments directly to skunkworks@eeye.com.  We appreciate all of the community feedback that we have received so far.

Zero-Day Tracker Launch

We are pleased to announce the release of eEye Research's Zero-Day Tracker.  This site will help the community keep track of past and present zero-day vulnerabilities in real-time.  This isn't a simple link repository, but instead personalized analysis information from eEye researchers.  If something is reported as a non-exploitable bug, we'll make sure to exhaust the flaw for exploitability, as we have shown with the ASX Playlist and the ADODB.Connection ActiveX zero-day vulnerabilities.  We will also always try to do our best to provide recommendations on what users can do to mitigate any zero-day vulnerabilities.

All future critical zero-day vulnerabilities will of course be added to the list, and any past zero-day vulns can also be requested by the community.  Simply email us to request some additional zero-day posts, or even if you just have some general questions regarding the site or anything related to eEye Research.

Adios!