Zero-Day Attacks Gnawing At Microsoft Word
In an advisory issued Tuesday, the Redmond, Wash.-based software giant said the attacks target a vulnerability in Microsoft Word 2000 and 2002, Microsoft Office Word 2003, Microsoft Word Viewer 2003, Microsoft Word 2004 for Mac, and Microsoft Word 2004 v. X for Mac, as well as Microsoft Works 2004, 2005 and 2006.
Microsoft said it is working to develop a patch for the vulnerability but has yet to do so.
The flaw stems from a memory corruption error that's triggered when a user opens an infected Word file. Attackers would have to dupe users into opening an infected Word file, which commonly happens by clicking on an e-mail attachment or Web page link, to exploit the vulnerability, according to the advisory.
Successful attackers would be able to access the affected machine with the rights of the local user, but the impact of that can be mitigated by not allowing user accounts to run with administrative access, Microsoft said.
The French Security Incident Research Team (FrSIRT) and Danish security research firm Secunia gave the vulnerability their highest threat ratings, but Symantec saw it as less severe, weighing in with an aggregate threat score of 7.8 on a 10-point scale.
Microsoft's next monthly patch release is scheduled for Dec. 12.