Third Word 0-day Disclosed

Following right on the heels of the first and second Word 0-days, we now have a third Word 0-day for this month. This third 0-day Word exploit has a proof-of-concept published for it at least, which is more information than what we've seen for the last two exploits.

Because we have not seen detailed analysis writeups for the previous two Word exploits, no one knows for sure (at least, from a public standpoint) whether the third 0-day is actually exploiting a new vulnerability in Word. Microsoft has yet to address any of these three Word 0-days.

Quick Analysis of today's Word 0-day: (Thanks to Darien Kindlund for the analysis writeup)
From the markers that the PoC author provides (41414141), it looks like the exploit is contained with either the "1Table" or "0Table" OLE streams within the corresponding DOC file. This is considered the "Table Stream", as defined in the 97-2003 Word Specification.

Essentially, upon saving a document, Word performs a memory dump of select application state information — writing this information out to disk, which allows the application to quickly open and render the document contents (without having to re-read/reconstruct this information from scratch).

Unfortunately, Word does not perform any type of validation, prior to reading in the Table Stream; thus, the exploit takes advantage of this fact. Deleting these Table Stream entirely isn't an option, either. Doing so will corrupt the original file format.

It may be possible to "scrub" or "validate" this contents, but that would require further intricate knowledge about how Word uses this data (possibly beyond what the 97-2003 Word Specification describes).

In sum:
This particular exploit is Word-specific; however, the technique of saving/restoring memory dump information directly to file blocks is an "optimization" that is (probably) used across all Microsoft Office products. More exploit PoCs should clarify this issue.