Microsoft has confirmed reports from security experts
that a “zero-day” bug in Word could let hackers seize control of
computer systems.
The US Computer Emergency Readiness Team (US-Cert)
warned, “Opening a specially crafted Word document, including
documents hosted on websites or attached to e-mail messages, could
trigger the vulnerability.”
The buffer overflow vulnerability affects Microsoft’s Word 2003
and Word XP (2002) editions, but other versions of Word, and other
Microsoft Office programs “may be affected” or could be used to
launch an attack if a malicious Word document was embedded into
them, US-Cert said.
The security agency warned users not to open unfamiliar or
unexpected Word or other Office documents, including those received
as email attachments or hosted on a website. It added: “Do not rely
on file extension filtering.”
Microsoft security programme manager Stephen Toulouse confirmed
that the company had received “singular reports of attacks” and had
been working directly with the affected users.
On Microsoft’s security blog, Toulouse said: “The attack we’ve
seen is e-mail based. The e-mails tend to arrive in groups, they
often have fake domains that are similar to real domains of the
targets, but the targets are valid e-mail addresses.”
Two of the e-mail subject lines seen by Microsoft were “Notice” and
“RE Plan for final agreement”.
The software giant was “hard at work on an update”, Toulouse
added.