Microsoft has confirmed a new security vulnerability in Microsoft Word, just days after it patched a number of other Office vulnerabilities as part of its monthly patching cycle.
There is no patch for the latest vulnerability, and there are suggestions that attackers are waiting for Microsoft to release its monthly patches before taking advantage of new flaws.
The vulnerability appears in both the Microsoft Office 2000 and Microsoft Office XP productivity suites, and Microsoft says attackers have reportedly already carried out “limited targeted attacks” using the vulnerability.
Internet security software firm Secunia said the vulnerability is caused due to an unspecified error when parsing Word documents and can be exploited to cause memory corruption.
Successful exploitation also allows execution of arbitrary code, said Secunia, which classed the flaw as “highly critical”, as it was already being exploited.
In order for this attack to be carried out, said Microsoft, a user must first open a malicious Office file attached to an e-mail.
Microsoft has added detection to its own Windows Live OneCare safety scanner for up-to-date removal of malicious software that attempts to exploit the vulnerability.
The majority of web users though will have to wait for Microsoft to provide a patch for the threat, unless different security software suppliers speedily add their own updated scanning engine protection.
Microsoft said it would consider issuing a security patch for the flaw as part of its monthly schedule or sooner. The next scheduled patching date is 13 March.
David Lacey’s security blog
The latest ideas, best practices, and business issues associated with managing security
Stuart King’s risk management blog
Dealing with the operational challenges of information security and risk management
Comment on this article: firstname.lastname@example.org