Appears to be another 0-day vulnerability released.
I checked my files and while I am on Office 2003 (upgraded from XP) I have vulnerable 'msjet40.dll' files in my system32 directory...dont know if they are still used but if so Office 2003 is vulnerable as well even though it's not on the list.
Here's the posting by the researcher:
http://www.hexview.com/docs/20050331-1.txt
Here's SecurityFocus' bid:
http://www.securityfocus.com/bid/12960/info/
This vulnerability was announced on March 31, 2005. Not trying to spark another disclosure debate but it would seem to me that giving a vendor 1 day notice before announcing your findings is a wee-bit too small.Microsoft was notified on March 30, 2005. Message acknowledged by an automated reply. No human response received.
Doubt M$ will have enough time to get a patch ready for next Tuesday...but one could only hope.
Thought you all should be aware.