Microsoft is digging into the fourth unpatched vulnerability in Microsoft Word in the last two months, the company security team said.
The zero-day flaw, which was first publicized Friday by Symantec , lets attackers hijack PCs running Microsoft Word 2000, and crash machines with Word 2002 or 2003. Attacks already are under way.
Microsoft's Security Response Center (MSRC) posted a warning late Friday. "We are currently investigating a report of a posting of proof of concept code which could allow an attacker to execute code on a user's machine by convincing them to open a specially-crafted Word document," Alexandra Huft of the MSRC in a blog posting. "We are aware of very limited, targeted attacks attempting to use the vulnerability reported."
Successful attacks require users to open a malformed Word 2000 file attachment, or download and open such a document from a malicious Web site, said Microsoft.
The flaw is the fourth Word flaw to go unpatched. In early-to-mid December, Microsoft acknowledged three other Word vulnerabilities. None of those bugs were patched during the December or January regularly scheduled security updates.
In the Friday warning, Microsoft promised to patch the new Word 2000 zero-day flaw but set no timetable for producing a fix.