Hours after releasing four patches as part of its monthly security update, Microsoft warned late Tuesday of a new, zero-day vulnerability in Word that is being actively exploited in targeted but limited attacks.
The flaw - which garnered tracking firm Secunia's highest grade of "extremely critical" - resides in Word 2002 in Service Pack 3, according to a Microsoft advisory. Users of all other Word versions are not affected.
For the attack to occur, individuals must be tricked into opening a malicious email attachment delivered through a phishing email, or visit a rogue website hosting the vulnerability, Microsoft said. Successful exploitation could result in remote code execution.
Ben Greenbaum, senior research manager for Symantec Security Response, said his team is investigating whether other versions of Office could be susceptible to the attack. He said researchers have seen "some kind of vulnerable behaviour" in Office 2000, 2003 and XP.
"Some of those versions have been seen to crash in result to an attack," he said, adding that researchers are trying to determine whether the crash is benign in nature or if it reflects an attacker's ability to execute code.
In lieu of a patch, users should ensure they keep their patches up to date and do not open any Word files that they were not expecting to receive, Greenbaum said.