Criminals are exploiting a flaw in the Microsoft Access to install unauthorised software on computers according to the United States Computer Emergency Readiness Team (US-CERT).
US-CERT said in a statement that the organisation is "aware of active exploitation" of the problem by criminals who have sent specially crafted Microsoft Access Database (.mdb) files to victims.
These files are "designed for the sole purpose of executing commands," so they should not be accepted from untrusted sources, Microsoft said on its website.
Run by the US Department of Defence, US-CERT is charged with coordinating the nation's response to cyberattacks.
Companies typically block the use of .mdb files, but criminals could be using this attack in a targeted strike against an organisation that is known to use this particular file-type, said Ben Greenbaum, senior manager for Symantec security response. Symantec itself has seen no evidence of the .mdb exploitation that prompted the US-CERT alert.
The files are not something that the average user would come across on a daily basis, he added. ".Mdb files are blocked by default in most installations of Internet Explorer and Outlook Express," he said. "I am a bit surprised to see active exploitation happening over this vector."
While US-CERT did not say which flaw was being exploited, Greenbaum said the vulnerability could be a recently discovered buffer overflow bug in the Microsoft Jet DataBase engine used to parse Access files.