New zero-day affects Microsoft Word

Attackers are targeting a new zero-day flaw in Microsoft Word and users should be cautious when opening unsolicited file attachments, the software giant warned in an advisory Tuesday.

Microsoft said the "limited" zero-day attacks affect Microsoft Word 2000 and 2002, Microsoft Office Word 2003; Microsoft Word Viewer 2003 and 2004 for Mac; Microsoft Word 2004 version X for Mac; and Microsoft Works 2004, 2005 and 2006.

Zero-day attacks: Zero-day flaws target 'safe' programs Nov. 1: Zero-day attacks target Microsoft Visual Studio Nov. 6: Microsoft eyes second zero-day threat in a week Sept. 19: Zero-day attack targets IE July 18: Microsoft plans PowerPoint zero-day patch Jun. 16: Microsoft Excel zero-day flaw discovered May 19: Zero-day threat targets Microsoft Word

"In order for this attack to be carried out, a user must first open a malicious Word file attached to an e-mail or otherwise provided to them by an attacker," Microsoft said. "As a best practice, users should always exercise extreme caution when opening unsolicited attachments from both known and unknown sources."

Microsoft said the investigation continues and that it may develop a patch if the situation requires one.

The French Security Incident Response Team (FrSIRT) described the flaw as a memory corruption error that occurs when malformed documents are handled. Attackers could exploit the flaw to execute malicious commands on targeted machines, FrSIRT said in its advisory.

Microsoft and other vendors have been forced to contend with an explosion of zero-day attacks this year, and Aliso Viejo, Calif.-based eEye Digital Security has launched a new Web page to help IT administrators keep track.

As of Tuesday, the site listed seven zero-day flaws, six affecting Microsoft and one affecting to Adobe Acrobat. The vendor outlines steps users can take to mitigate each flaw.

"The increasing proliferation of zero-day vulnerabilities means the previous window of opportunity IT had to secure networks between the release of a software patch and an attack has been slammed shut," Marc Maiffret, eEye's founder and CTO, said in a statement. "More zero-day security vulnerabilities and attacks are being discovered every day and dealing with them can easily dominate an enterprise's IT efforts. As a result, we've been overwhelmed by requests from our customers to give them the information and time they need to protect their networks."