Hackers may already be exploiting a new vulnerability in Word and Office programs, in an attack designed to exploit Microsoft's Patch Tuesday schedule.
The bug, which emerged one day after the company fixed six other Word bugs on Tuesday, affects Office 2000 and Office XP, Microsoft said in a security advisory on Wednesday. It allows an attacker to create a specially-crafted Word document that, if opened, could give them remote control of a victim's computer. As usual, it advised great caution when opening unsolicited attachments.
Microsoft said it had received reports of "very limited, targeted" attacks. Danish security vendor Secunia ranked the problem as "extremely critical."
The emergence of a security bug so soon after Microsoft's scheduled patch release may not be coincidence. It follows pattern in which hackers are maximising the amount of time they have to take advantage of a vulnerability, said Thomas Kristensen, Secunia's chief technical officer. Microsoft rarely diverts from its patch schedule, set for the second Tuesday of the month, although it said it would in this case if it considers it necessary.
Office applications such as Word are "low-hanging fruit" for hackers, since the programs haven't been audited for security as much as some others, such as Internet Explorer, Kristensen said.
The hackers find a vulnerability by manipulating a document and testing how Word reads it. In this case, a modified document can corrupt system memory in a way that allows the attacker to execute code on the machine remotely. As well as sending the document via email, the hacker could embed it in a Web page and try to lure users into visiting that page.
"Attacking using this vector is fairly easy," Kristensen said.
However, new security features in Windows Vista, released to the general public last month, may prevent similar types of attack, so hackers may be making an extra effort to exploit them while they can, he said.