Third Word Flaw discovered!!!

In less than 10 days, a third, previously unknown flaw in MS Word have been published by hacker community. The details are available on the milw0rm website here and the document can be downloaded from here (though I strongly discourage you from doing so). The POC code has been posted by a hacker who calls himself DiscoJonny and this is what he has posted on the website.

=====
The file I have attached is a very basic two stage bug.  stage 1 (the
first mod) forces the code down a wrong path.  the second mod by
itsself is harmless, however when used with the first it will be the
first and part of the second overwrite.

I have use 41414141 as a marker to make it easier for you to see.

I have made it crash the wordviewer again to make it more obvious

Weight,
location: 00000274
value   : 00000022 - just so it crashes, values 00000001 -> 00000006
are probably the most useful for trying to overwrite a pointer. notice
that neighbouring areas can be weighted the same.

marker,
location: 000027e4
value   : 41414141

the weight destination address == ((weight * 4[this is EDI]) + 4 [ECX*4]) + source memory offest[ESI].

[also the meta data is microsofts, not mine]
======

bug hugs,

disco.

poc: http://www.milw0rm.com/sploits/12122006-djtest.doc

# milw0rm.com [2006-12-12]

Notice the language which leads me to think that this guy is from somewhere in east Europe or Asia (as if its of any use!!!). I downloaded the file and ran it to see what happens. On MS Word 2003, it totally crashes and generates a error dump which it asks to send to Microsoft. In MS Word 2007 Beta2 it doesn't even generate an error report and just shuts down giving this "helpful" error message. Would that allow a remote code execution. Probably. I don't know yet.

But the message is clear. Hackers are after applications now.