According to the French Security Incident Response Team (FrSIRT), the problem is a memory corruption error that appears when malformed documents are handled. Attackers could exploit this to execute arbitrary commands by tricking a user into opening a specially crafted Word document, FrSIRT said.
"From the initial reports and investigation we can confirm that the vulnerability is being exploited on a very, very limited and targeted basis," Scott Deacon of the MSRC said in the blog entry. "We're tracking this issue and [will] provide updates should the situation change or [if] we become aware of new information."
The flaw affects Microsoft Word 2000, 2002, 2003 and Word Viewer 2003.
Despite the appearance of two new Word zero-days, the software giant is not scheduled to release any Word patches during its monthly security update Tuesday. The update will instead focus on Windows and Visual Studio, which has also been affected by a zero-day flaw.