After an emergency patch release last week, and as Microsoft sent out fixes for eight flaws on Patch Tuesday yesterday, McAfee Avert Labs (and others) alerted the masses that at least three new zero-day vulnerabilities in Microsoft Office had been discovered.
Microsoft is investigating, and so far says no known attacks around the flaws have been found. It also says, according to News.com, that none of the problems affect Office 2007.
So ... so far, there's nothing horrible happening in the field with these vulnerabilities to report on.
But I do want to say, especially after commenting on the extremely intricate process of producing fully tested patches in the Redmond development labs, that the suggestion by observers, including McAfee, that the bad guys put out their attacks on or around Patch Tuesday so that users will be exposed longer just makes no sense. Yes, Microsoft has vigorously avoided out-of-cycle patches in the past, but hey, it just released one eight days ago for the .ANI flaw that was producing large-scale attacks, remember?
A patch takes as long it takes. When attacks are in full swing, Microsoft puts more manpower on the case and gets the job done faster. The black hats surely know that a strategy of consistently exploiting Microsoft flaws on Patch Tuesday would be the fastest way to end that monthly schedule, anyway.