Attackers are exploiting an unpatched bug in Word, Microsoft confirmed, just hours after its Patch Tuesday release fixed nine vulnerabilities in a range of its programmes.
In a security advisory it, the Microsoft Security Response Center (MSRC) said attackers were exploiting a flaw in Word 2002. However, MSRC spokesman Bill Sisk downplayed the threat. "At this time, Microsoft is aware only of limited, targeted attacks that attempt to use this vulnerability," Sisk said in an e-mail.
As is its practice, Microsoft provided few details of the vulnerability other than to say that it could be triggered by rigged Word documents if the user opened them. The company did not say how the in-the-wild attacks were delivering the malicious .doc files, but if the past is any indicator, criminals are sending malformed files as e-mail attachments.
"When a user opens a specially crafted Microsoft Word file that has malformed data, it may corrupt system memory in a way that could be leveraged by an attacker to execute arbitrary code," the advisory read.
According to Microsoft, only Word 2002 contains the vulnerability. Other versions of the popular word processing programme -- including Word 2000, Word 2003 and Word 2007 on Windows, and Word 2004 and Word 2008 on the Mac -- are not affected. Word 2003 Viewer, a free viewing- and printing-only tool, is also safe to use, said Microsoft.
In lieu of a patch, the MSRC advisory recommended that users turn to Word 2003 Viewer to open and view Word files. Sisk said that a patch may be forthcoming, but did not specify a timetable.
Earlier on 8 July, Symantec warned that it had seen attackers exploiting an unpatched bug in Word, but the security firm had offered even less information than Microsoft did hours later.
Word has been patched twice already this year, most recently in May when Word 2000, 2002, 2003 and 2007 on Windows, and Word 2004 and Word 2008 were fixed to stymie attacks using other types of malicious documents. Office bugs, in general, and Word vulnerabilities, in particular, have regularly been exploited over the last three years.
Tuesday's advisory was the second one that Microsoft issued this week. On Monday, the company warned that other attackers were exploiting a flaw in the Snapshot Viewer ActiveX control bundled with all versions of Access, Office's database programme, except the newest edition, Access 2007.
Also Tuesday, Microsoft released four security updates that patched nine vulnerabilities, but none patched flaws in Office