Updated Tuesday, Sept. 5 with additional details from Microsoft.
With a week to go before Microsoft releases its next batch of security patches, vulnerability watchers are warning of a new zero-day Word flaw that attackers could exploit to take control of Windows 2000 machines.
The threat was first reported Saturday by Cupertino, Calif.-based antivirus giant Symantec Corp. in an email advisory to customers of its DeepSight Threat Management Service.
According to Symantec's analysis, Microsoft Word is prone to an unspecified remote code-execution vulnerability attackers could exploit to execute arbitrary code on a vulnerable computer by supplying a malicious Word document to a user. If a recipient opens such a document, an attacker could "gain subsequent unauthorized access to the computer in the context of the user."
Symantec said the vulnerability is being actively exploited by Trojan.MDropper-Q.
Trojan.MDropper-Q in turn unloads another piece of malware onto affected machines that Symantec identified as Backdoor.Femo. This malware, first detected in the wild three years ago, hands control of an affected machine to an attacker.
While Symantec withheld full details of the vulnerability, the French Security Incident Response Team (FrSIRT) described it as a memory-corruption error when handling a malformed document. It rated the flaw as critical, due to the active exploits.
In its advisory, Danish vulnerability clearinghouse Secunia rated the flaw "extremely critical" -- the highest of its threat ratings -- confirming the existence of the flaw in Microsoft Word 2000 running on Windows 2000 machines.
Secunia and Symantec recommended users mitigate the threat by not opening untrusted documents.
"Users should never accept files from untrusted or unknown sources, because they may be malicious in nature," Symantec said. "Avoid opening email attachments from unknown or questionable sources."
Symantec also recommended IT shops battle the threat with multiple, redundant layers of security.
"Since this issue may be leveraged to execute code, we recommend memory-protection schemes, such as non-executable stack/heap configurations and randomly mapped memory segments," Symantec said. "This tactic may complicate exploitation of memory-corruption vulnerabilities."
Microsoft said it is investigating the threat. "In order for this attack to be carried out, a user must first open a malicious Word document that is sent as an email attachment or otherwise provided to them by an attacker," a company spokesman said by email. "Upon completion of this investigation, Microsoft will take the appropriate action to protect our customers, which may include issuing a security advisory or providing a security update through our monthly release process, depending on customer needs."
The software giant's next monthly patch release is Tuesday, Sept. 12. An advance notice on the programs to be fixed will be available on Microsoft's TechNet site Thursday.