[Full-disclosure] Some thoughts about MS06-027 Winword.exe timestamps

[Juha-Matti Laurio <juha-matti.laurio@xxxxxxxx>]

After examining new MS advisories the time stamps of executables included to 
MS06-027 http://www.microsoft.com/technet/security/Bulletin/MS06-027.mspx are 
interesting. First warnings about this 0-day vulnerability in Word were 
published on 19th May, referring to Internet Storm Center Diary entry. ISC made 
a great job during these weeks.

When looking into Security Update Information section -> Manual Client 
Installation Information -> Client Installation File Information) we have the 
following Winword.exe information:

Word 2003 - 15-May-2006
Word 2002 - 12-May-2006
Word 2000 - 16-May-2006

The updated, non-affected Winword.exe for Word version 2002 was ready (and 
passed some MS release tests) exactly a week before first public warnings. Like 
we know some targeted attacks to companies in China area has been reported.

After updating my Word installation file information of C:\Program 
Files\Microsoft Office\OFFICE11\WINWORD.EXE says 11.5 Mb, 15th May 2006, 
revision 11.0.8026.0. Localized, Finnish update package was used.

New security advisory lists Shih-hao Weng of Information & Communication 
Security Technology Center, Taiwan (http://www.icst.org.tw/ ) as reporter of this 
issue. He was mentioned at Credit section of Windows Color Management Module 
advisory MS05-036 too. Big thanks goes to him as well.

BTW: MS06-027 lists Word Viewer 2003 (newest available) as affected too. Using 
viewer utilities was mentioned as one of the workarounds in May.

I'm not saying Microsoft was hiding something, I believe that attacks has been 
limited. Additionally, possibly Microsoft recommended target organizations not 
to use Word until fix is available.


- Juha-Matti

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/