REDMOND, WA – Microsoft issued a security advisory yesterday stating that the company was “investigating a new report of limited ‘zero-day’ attacks using a vulnerability in Microsoft Word 2000, Microsoft Word 2002, Microsoft Office Word 2003, Microsoft Word Viewer 2003, Microsoft Word 2004 for Mac, and Microsoft Word 2004 v. X for Mac, as well as Microsoft Works 2004, 2005, and 2006.”In its advisory, Microsoft noted that in order for the attack to be carried out, “a user must first open a malicious Word file attached to an e-mail or otherwise provided to them by an attacker.”
The security hole has not yet been patched and although Microsoft says that the attacks are “limited,” the advisory nonetheless recommends that “As a best practice, users should always exercise extreme caution when opening unsolicited attachments from both known and unknown sources.”
The vulnerability is similar to other “zero-day” attacks that have targeted various Office components in recent months. In May, another attack targeting Word was identified and an exploit directed at Excel was reported earlier this year, as well.
The Microsoft advisory states that the company “will take the appropriate action to help protect our customers” once their investigation of the attacks has been completed. A security update addressing the problem may be released through Microsoft’s monthly release process, or the company may provide an “out-of-cycle security update, depending on customer needs,” according to the advisory.
Microsoft customers in Canada and the U.S. that believe they have been affected by an attack can receive no-charge support from Microsoft Product Support Services at 1-866-PCSAFETY.
International customers can receive support from “their local Microsoft subsidiaries,” according to the advisory. For more information about how to contact Microsoft for support issues, international users can visit the company’s international support website at: http://support.microsoft.com/common/international.aspx
