Hours after releasing four patches as part of its monthly securityupdate, Microsoft warned late Tuesday of a new, zero-day vulnerability in Word that is being actively exploited in targeted but limited attacks.
The flaw — which garnered tracking firm Secunia’s highest grade of”extremely critical” — resides in Word 2002 in Service Pack 3,according to a Microsoft advisory. Users of all other Word versions arenot affected.
For the attack to occur, individuals must be tricked into opening amalicious email attachment delivered through a phishing email, or visita rogue website hosting the vulnerability, Microsoft said. Successfulexploitation could result in remote code execution.
Ben Greenbaum, senior research manager for Symantec Security Response,said his team is investigating whether other versions of Office couldbe susceptible to the attack. He said researchers have seen “some kindof vulnerable behavior” in Office 2000, 2003 and XP.
“Some of those versions have been seen to crash in result to anattack,” he said, adding that researchers are trying to determinewhether the crash is benign in nature or if it reflects an attacker’sability to execute code.
In lieu of a patch, users should ensure they keep their patches up todate and do not open any Word files that they were not expecting to receive,Greenbaum said.