Users of Microsoft Word have been left in the cold after a critical flaw in the ubiquitous Office programme was left unpatched by Microsoft.

Despite widespread reports of the "extremely critical" zero-day exploit, the September patch issue only contained three fixes, none of which covered the issue.

"It could be another month before the patch becomes available," warned Alan Bentley, managing director of PatchLink EMEA (pictured, above). "There have not been any widespread attacks on this exploit yet, but at least forewarned is forearmed."

Security company Symantec said it detected an exploit, which affects systems running Windows 2000, in the shape of Trojan MDropper.Q.

This uses a two-step attack, exploiting the Microsoft Word vulnerability to drop another file, a new variant of Backdoor.Femo. "Microsoft Office vulnerabilities are a great platform for social engineering and email-based attacks," a Symantec security advisory reads. "Until a vendor-supplied patch is made available and then installed, users should follow safe computing practices and exercise extreme caution."