Application: Word for Windows and Mac
Word 2000
Word XP
Word 2003
Word Viewer 2003
Word v.X for Mac (reported but unverified)

Description:
A new zero-day vulnerability has been publicly released. Because details are at a minimum for the other two active zero-day vulnerabilities originally reported by Microsoft, it is presumed that this disclosed vulnerability is actually a third and separate vulnerability.

Technical Details
(The following offsets are based on WordView.exe version 11.0.8026.0.)
The field at offset 0x274 in 12122006-djtest.doc (0x23000000) is passed into sub_304536D3 as its 5th argument by sub_301A36CD. This number is reduced at 30453712 by a value so far only observed to be 1, then eventually multiplied by 4 at 30193FD6, resulting in the observed 0x8BFFFFFC value which is then added to a pointer at 3019400B to produce the destination passed to memmove. Although the destination pointer produced by 12122006-djtest.doc causes a crash, the field mentioned above could be controlled to target any location, relative to the address at which the data "AAAA" (from offset 0x27E4 in the file) is loaded into memory.