Microsoft has confirmed reports from security experts that a “zero-day” bug in Word could let hackers seize control of computer systems.
The US Computer Emergency Readiness Team (US-Cert) warned, “Opening a specially crafted Word document, including documents hosted on websites or attached to e-mail messages, could trigger the vulnerability.”
The buffer overflow vulnerability affects Microsoft’s Word 2003 and Word XP (2002) editions, but other versions of Word, and other Microsoft Office programs “may be affected” or could be used to launch an attack if a malicious Word document was embedded into them, US-Cert said.
The security agency warned users not to open unfamiliar or unexpected Word or other Office documents, including those received as email attachments or hosted on a website. It added: “Do not rely on file extension filtering.”
Microsoft security programme manager Stephen Toulouse confirmed that the company had received “singular reports of attacks” and had been working directly with the affected users.
On Microsoft’s security blog, Toulouse said: “The attack we’ve seen is e-mail based. The e-mails tend to arrive in groups, they often have fake domains that are similar to real domains of the targets, but the targets are valid e-mail addresses.”
Two of the e-mail subject lines seen by Microsoft were “Notice” and “RE Plan for final agreement”.
The software giant was “hard at work on an update”, Toulouse added.