Microsoft issues emergency fix for zero-day Office flaw

Microsoft today released an emergency fix for a critical vulnerability in Office that it said hackers were exploiting via infected Word documents.

The issue affects users of Windows Vista, Windows Server 2008, Lync, and Office 2003 to 2010, Microsoft said in a blog post. The current versions of Windows and Office are not affected.

The software giant said it had been made aware of targeted attacks mostly in the Middle East and South Asia, with attackers sending unsuspecting victims crafted Word documents with a tainted attachment.

Once opened the attachment exploits the zero-day vulnerability using a malformed graphics image embedded in the document, Microsoft said.

A successful exploit would allow the attacker to gain the same user rights as the victim. 

"The vulnerability is a remote code execution vulnerability that exists in the way affected components handle specially crafted TIFF images," it said in the post.

"An attacker could exploit this vulnerability by convincing a user to preview or open a specially crafted email message, open a specially crafted file, or browse specially crafted web content."

Microsoft is "actively working" to develop a full automatic security patch but in the meantime has put out an interim manual "fix-it" to address the vulnerability.