Security company eEye Digital Security has reportedly found the first vulnerability in Microsoft's newly released Office 2007.

The company posted an advisory on its Web site saying eEye researchers found the flaw and reported it to Microsoft on Feb. 16. It's a remotely exploitable vulnerability that exists within Office's Publisher 2007. It allows a hacker to remotely execute arbitrary code as if he was an actual logged-in user.

Ross Brown, CEO of eEye, says they've given it a "high" security rating, but adds that Microsoft would more than likely classify it as a "critical" vulnerability. He adds that they haven't yet seen any exploit for the flaw.

Brown and Andre Derek Protas, a security researcher with eEye, both hesitated to say where the flaw is in Publisher or what kind of flaw it is for fear that it would only help hackers build an exploit for it.

"I'll give [Microsoft] a lot of credit in raising their level of responsiveness," says Brown. "But it's one thing to have a flaw and it's another thing to have a remote control flaw. Through their trustworthy computing initiative, they've implemented code quality processes. With something so recently released to have a remote control vulnerability, was a real surprise to our researchers."

Protas says he had been hoping for tighter security in this latest version of Office, but he's pretty doubtful now.

"I'd say we are dealing with the same level of security as we did with Office 2000 and Office 2003. It's not going to be the silver bullet of Office security."

A Microsoft spokesman, responding to InformationWeek questions in an e-mail, said Microsoft is investigating new reports of a possible vulnerability in Microsoft Publisher 2007.

"Microsoft is not aware of any attacks attempting to use the reported vulnerability or of customer impact at this time," he says. "Microsoft will continue to work with eEye to further understand this report as part of our standard MSRC investigation process and will provide additional guidance for customers as necessary."