Eric Chien reported late Tuesday on the Symantec Security Response weblog that the anti-virus firm has received new Word documents containing a zero-day exploit being used in targeted attacks against several organisations.
However, the Californian firm was trying to determine whether the vulnerability was simply a variation of one of four recently disclosed unpatched Office flaws, three of which were reported in December. Indeed it was, according to a Microsoft spokesman.
"Microsoft's intitial investigation shows that this is not a new vulnerability but a duplicate of an already known public issue," the spokesman said, referring to CVE-2006-6456, reported 10 December.
A fourth Word bug came to light last week and is being used in limited attacks, according to Microsoft.
All of the vulnerabilities could be exploited to execute arbitrary code, allowing attackers to drop a trojan on an infected machine.
Some experts have predicted Microsoft would release out-of-cycle fixes for the Word flaws, but so far it has remained quiet on its patching plans.
"No patches appear available, so, as always, be careful opening unsolicited Word documents," Chien said.
Researchers are particularly concerned about the flaws because Office is a heavily used program, and corporate employees routinely trade Word files on a daily basis.
IT security protocol may require some firms to now take action, said Swa Frantzen, a SANS Internet Storm Center handler, on that organisation’s blog.
"Even though it appears there might be little gain in once again trying to convince people not to email Office documents, not to open them, etc., some renewed attention might be required," Frantzen said.
Click here to email reporter Dan Kaplan.
Is there a fifth zero-day vulnerability in Microsoft Word?
By Dan Kaplan on Feb 1, 2007 8:06AM