The flaw allows an attacker to gather private data from a user by mailing a Word document containing hidden fields. When the victim opens the document, the fields retrieve data from the user's hard disk. The attacker can then collect the private information when the victim e-mails the document back.
On its security Web site Microsoft said it was continuing to investigate the flaw and would be providing fixes for all supported versions of Word. It advised users not to reply or respond to unsolicited, untrusted or suspicious documents. Microsoft also said there are a number of reasons why this issue would be difficult to actively exploit.
In order to exploit this vulnerability, an attacker would have to know the names and the locations of the victim's files containing the information he wanted to steal. The hidden fields would look for data in specific files, and not do a general scan of the hard disk.
"We believe there are some important mitigating factors," said Lynn Terwoerds, security program manager at Microsoft, referring to the difficulty of exploiting the vulnerability. "A successful attack, in which several best practices and mitigating factors are not applied, could potentially allow a malicious user to view the contents of a targeted file."