New “extremely critical” unpatched flaw reported in Microsoft Office

Security experts today are warning of a trojan that is actively exploiting a new, unpatched Microsoft Word zero-day vulnerability.

The flaw, reported in Microsoft Word 2000 when running on Windows 2000, is caused by an unspecified error that occurs when a computer processes Word documents, according to vulnerability monitoring firm Secunia. The vulnerability is exploited when a malicious document is opened, dropping a trojan and allowing the intruders to remotely execute arbitrary code and compromise a user's PC.

Secunia rated the flaw "extremely critical," its highest threat rating. McAfee Avert Labs and Symantec have reported in-the-wild samples of a trojan exploiting the vulnerability. McAfee has named the malware W32/Mofei.worm, while Symantec is calling it Trojan.MDropper.Q.

Hon Lau, a Symantec senior security response engineer at Symantec, said in a blog posting Sunday that vulnerabilities in Microsoft Office likely will continue because the application provides a hideaway for malware. A similar zero-day bug occurred in May and affected Word 2003 versions.

"Microsoft Office vulnerabilities are a great platform for social engineering and email based attacks," Lau said. "Enterprises, small businesses and consumers continue to share and exchange information using Microsoft Office documents. As most of these document types are generally allowed to pass through most firewalls and security solutions, Microsoft Office documents are (a) good vehicle for hiding executable malicious code."

As a fix for the current flaw, experts recommend users do not open untrusted Office documents.

A Microsoft spokesman said in an email today that the company is "investigating new public reports of a possible vulnerability in Microsoft Word. Microsoft is not aware of any attacks attempting to use the reported vulnerability or of customer impact at this time."

The spokesman said the Redmond, Wash. software giant may issue a security update to fix the issue. Windows Live OneCare has been updated to block malware associated with the vulnerability. The company's next monthly patch release is scheduled for Sept. 12

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.