Where's the MS Word Zero-Day AV Protection?

Judging from public utterances from security vendors, it looks very much like Microsoft does not have an actual malware sample from the attack.

I asked Microsoft about the absense of a virus definition update in OneCare and got this strange response:

"OneCare currently does not have an addressment for this exploit as it's in early identification stages. Groups across Microsoft are working on solutions to understand the best way to address it. Once more information is learned about this exploit, addressment may be available and will be shared with partners in the industry."

I'm not sure what Redmond means by "early identification stages." (Is "addressment" even a word?) According to the CVE database, Microsoft has known of this vulnerability since Nov. 21, 2006, more than two weeks ago. BigFix's Amrit Williams says the flaw was originally made public on May 12, 2006, seven months ago!

"Something weird is happening, no doubt," said Roger Thompson, chief technology officer at Exploit Prevention Labs. "I simply don't believe they don't have a sample, but it sounds like they don't know how to address it," he said, referring to Microsoft's inability to share information on the attack with anti-virus partners.

On the Symantec blog, the company complained that there is "very little information available regarding the technical details of this new vulnerability."

"Symantec Security Response is monitoring the situation and will respond appropriately once further information is known," the company said. A definition update has been shipped based on what looks like guesswork from Symantec.

The tune was very much the same at Kaspersky, where the company's malware researchers are "monitoring the situation" and waiting for Microsoft to share the data.

No wonder the "anti-virus is dead" meme is picking up steam.

UPDATE, 9:49 p.m. Eastern:

Microsoft wrote in to clarify the information from the CVE database and to point out that issue referenced by BigFix's Amrit Williams has already been addressed by a security update.

A Redmond spokesman explained that the CVE database records the date on which a CVE number is assigned. Microsoft (and other vendors) are pre-assigned CVE numbers in bulk, meaning that these numbers are not assigned to any specific vulnerabilities.

"These numbers are then assigned to specific issues at a later date by the vendor. In this case, the date in the database reflects the date the CVE number was assigned, not the date it was assigned to the vulnerability discussed in Microsoft Security Advisory 929433. Once Microsoft assigned this number to the issue discussed in Microsoft Security Advisory 929433 on December 5, 2006, Microsoft contacted MITRE and they updated their records to reflect this fact."

Separately, the MSRC's Christopher Budd explains what the company means when it talks about "limited, targeted attacks."

"When we talk about "very limited, targeted attacks" we specifically mean this in contrast to attacks that affect a broad number of customers randomly. Unlike these broad, random attacks, these very limited, targeted attacks are carried out against a very small number of customers (sometimes only one or two even) and are carried out in a very deliberate fashion against a specific organization or organizations...Where the goal of these broad, random attacks is large in scope, the goal of these very limited, targeted attacks is generally to introduce malicious software on to the systems of the specific organizations that have been targeted."

Budd also announced that technical details on the flaw and attack have been shared with AV partners so that they can build signatures to detect the malicious software. Definition updates have finally been added to the Windows Live One Safety Scanner.

And finally, it looks like the Word hole will remain open for at least another month. My colleague Matt Hines reports that Microsoft will ship six bulletins on Patch Tuesday next week but nothing for Office in this batch.