Microsoft is testing a patch for a zero-day bug in its Word software and may release it ahead of its regular monthly security update in June.
The buffer overflow vulnerability in Microsoft Word XP and Microsoft Word 2003, which emerged late last week, can be triggered by opening a specially crafted malicious Word document sent as an e-mail attachment by an attacker.
The software giant said it was “completing development” of a security update for Word that would fix the vulnerability.
“The security update is now being finalised through testing to ensure quality and application compatibility and is on schedule to be released as part of the June security updates on June 13, 2006, or sooner as warranted,” Microsoft said in a security advisory notice.
The company said that it was concerned that the reported vulnerability “was not disclosed responsibly".
“We believe the commonly accepted practice of reporting vulnerabilities directly to a vendor serves everyone's best interests," said the company.
“This practice helps to ensure that customers receive comprehensive, high-quality updates for security vulnerabilities without exposure to malicious attackers while the update is being developed.”
The advisory notice did not give details of how news of the vulnerability emerged. In an entry on the Microsoft security response centre blog, dated Friday 19 May, the company’s security programme manager Stephen Toulouse noted only that Microsoft had “received a report that a customer had been subjected to a very targeted attack using this vulnerability”.
A later entry adds that the software firm had “received singular reports of attacks and have been working directly with the couple of customers thus far affected”.