Microsoft is warning customers of active attacks on a vulnerability that could be exploited through Microsoft Word giving an attacker the same user rights as the local user.
The vulnerability exists in the Microsoft Jet Database Engine. In order for the vulnerability to be exploited, users would have to click on a link in an email message to navigate to a malicious website that contains a specially crafted Word file.
"In addition, compromised Web sites and Web sites that accept or host user-provided content could contain specially crafted content that could exploit this vulnerability," Microsoft said in its advisory.
Bill Sisk, the response communication manager for the Microsoft Security Response Center (MSRC), did not rule out an out-of-band update to correct the problem.
"We currently have teams working to develop an update of appropriate quality for release in our regularly scheduled bulletin process or as an out-of-band update, depending on customer impact," Sisk said in a posting at the MSRC team blog.
As a temporary workaround, customers can restrict the Microsoft Jet Database Engine from running. Administrators can also block Microsoft database files (.mdb) files from being processed through mail systems.
Those using Microsoft Word 2000 Service Pack 3, Microsoft Word 2002 Service Pack 3, Microsoft Word 2003 Service Pack 2, Microsoft Word 2003 Service Pack 3, Microsoft Word 2007, and Microsoft Word 2007 Service Pack 1 on Microsoft Windows 2000, Windows XP, or Windows Server 2003 Service Pack 1 are vulnerable to these attacks, Microsoft said.
"Microsoft is investigating the public reports and customer impact," Microsoft said in its advisory. "We are also investigating whether the vulnerability can be exploited through additional applications."