Another Word zero-day bug used in attacks

A fourth yet-to-be-patched security vulnerability in Microsoft Word is actively being exploited in cyberattacks, the company has warned.

By Joris Evers
Staff Writer, CNET News.com

Published: January 25, 2007, 3:57 PM PST

Watch out for malicious Word documents.

Another previously undocumented, yet-to-be-patched security vulnerability in Microsoft Word is actively being exploited in cyberattacks, Microsoft said Thursday.

The vulnerability is the fourth zero-day vulnerability to arise in the Microsoft application in two months. Microsoft hasn't provided patches for any of the flaws, despite acknowledging that the holes are being used in attacks on its customers.

"There have been very limited attacks reported that are attempting to use the reported vulnerability at this time," a Microsoft representative said Thursday in a statement about the latest problem. The company is investigating this latest report and may issue a patch, if needed, the representative said.

The newest problem allows an attacker to hijack systems running Word 2000 and causes a crash of Word 2003 and Word XP, Symantec said in an alert Thursday. "An attacker could exploit this issue by enticing a victim to open a malicious Word file," the Cupertino, Calif.-based security company said.

Security experts have said the limited-scale attacks are the most dangerous. Widespread worms, viruses or Trojan horses sent to millions of mailboxes are typically not a grave concern because they can be blocked. Instead, especially for businesses, targeted Trojan horses have become nightmares, as they can fly under the radar.

Symantec advises people to make sure their security software is up-to-date and urges caution when opening Word documents. Businesses should put policies in place to prevent Word documents from being distributed to users, Symantec said.