"There have been very limited attacks reported that are attempting to use the reported vulnerability at this time," a Microsoft spokeswoman said in an email. "Microsoft will continue to investigate the public reports to help provide additional guidance for customers as necessary."
Once its investigation is complete, Microsoft said it will take the appropriate action to protect its customers, which may include issuing a security advisory or providing a security update through its monthly release process.
Cupertino, Calif.-based antivirus giant Symantec Corp. sent an alert on the new Word zero-day to customers of its DeepSight threat management service earlier Thursday. According to the alert, "Microsoft Word 2000 is prone to a remote code-execution vulnerability that arises because of a memory-corruption vulnerability."
Symantec said the exact nature of the problem isn't yet clear, but that code execution in Word 2000 and Word 2003/XP has been confirmed. The company said it will provide a more detailed analysis once its investigation is finished.
Of the flaw, Symantec said, "An attacker could exploit this issue by enticing a victim to open a malicious Word file. If the attack is successful, the attacker may be able to execute arbitrary code in the context of the currently logged-in user."
The company added, "Exploits against Word 2003/XP result in a denial of service due to complete CPU utilization, denying service to legitimate users."
This is the fourth zero-day flaw reported in Word in recent months. Microsoft has acknowledged each flaw, but has not yet issued a security update to fix them. When Word fixes weren't included in the software giant's January patch rollout, security experts speculated that the company might be compelled to release an out-of-cycle patch. That hasn't happened yet, and the next scheduled patch release is Tuesday, Feb. 13.
As for attacks against this latest flaw, Symantec described the sequence of events in its advisory:
- A malicious Word document arrives by email with a fake message designed to dupe the user into opening the attachment.
- When the infected Word document is opened, it drops Trojan horse programs onto the machine that allow the attacker to gain remote access.
- The attacker then creates a clean Word document named "Summary on China's 2006 Defense White paper.doc."
- The Trojan then checks for Internet connectivity and, once connected, creates a back door on the machine.
- It connects to the pop.newyorkerworld.com domain on TCP port 80 and carries out its instructions, which could include stealing files and uploading them to a remote server or recording the user's keystrokes in hopes of harvesting credit card information.
Symantec recommended users mitigate the threat by not accepting or executing files from untrusted or unknown sources.