The flaw, reported in Microsoft Word 2000 when running on Windows 2000, is caused by an unspecified error that occurs when a computer processes Word documents, according to vulnerability monitoring firm Secunia. The vulnerability is exploited when a malicious document is opened, allowing the intruders to remotely execute arbitrary code and compromise a user's PC.
Secunia rated the flaw "extremely critical," its highest threat rating. McAfee Avert Labs and Symantec have reported in-the-wild samples of a trojan exploiting the vulnerability. McAfee has named the malware W32/Mofei.worm, while Symantec is calling it Trojan.MDropper.Q.
Hon Lau, a Symantec senior security response engineer at Symantec, said in a blog posting Sunday that vulnerabilities in Microsoft Office likely will continue because the application provides a hideaway for malware. A similar zero-day bug occurred in May and affected Word 2003 versions.
"Microsoft Office vulnerabilities are a great platform for social engineering and email based attacks," Lau said. "Enterprises, small businesses and consumers continue to share and exchange information using Microsoft Office documents. As most of these document types are generally allowed to pass through most firewalls and security solutions, Microsoft Office documents are (a) good vehicle for hiding executable malicious code."
As a fix for the current flaw, experts recommend users do not open untrusted Office documents. A Microsoft spokesman could not immediately be reached for comment today to confirm the exploit or discuss the software giant's response.
The Redmond, Wash. company's next monthly patch release is scheduled for Sept. 12