Successful attacks require users to open a malformed Word 2000 file attachment or download one from a malicious Web site.
Microsoft is digging into the fourth unpatched vulnerability in Microsoft Word in the last two months, the company security team said.
The zero-day flaw, which was first publicized Friday by Symantec , lets attackers hijack PCs running Microsoft Word 2000, and crash machines with Word 2002 or 2003. Attacks already are under way.
Microsoft's Security Response Center (MSRC) posted a warning late Friday. "We are currently investigating a report of a posting of proof of concept code which could allow an attacker to execute code on a user's machine by convincing them to open a specially-crafted Word document," Alexandra Huft of the MSRC in a blog posting. "We are aware of very limited, targeted attacks attempting to use the vulnerability reported."
Successful attacks require users to open a malformed Word 2000 file attachment, or download and open such a document from a malicious Web site, said Microsoft.
The flaw is the fourth Word flaw to go unpatched. In early-to-mid December, Microsoft acknowledged three other Word vulnerabilities. None of those bugs were patched during the December or January regularly scheduled security updates.
In the Friday warning, Microsoft promised to patch the new Word 2000 zero-day flaw but set no timetable for producing a fix.
Building A Mobile Business MindsetAmong 688 respondents, 46% have deployed mobile apps, with an additional 24% planning to in the next year. Soon all apps will look like mobile apps – and it's past time for those with no plans to get cracking.
InformationWeek Must Reads Oct. 21, 2014InformationWeek's new Must Reads is a compendium of our best recent coverage of digital strategy. Learn why you should learn to embrace DevOps, how to avoid roadblocks for digital projects, what the five steps to API management are, and more.