First reported last week, the unspecified flaw in Word could be used to execute remote code onto a PC, according to vulnerability monitoring firm Secunia.
So far, the preferred form of delivery for the malware has been email, according to Stephen Toulouse, head of the Microsoft Security Response Center (MSRC).
"First off on the vulnerability itself: I want to reiterate we’re hard at work on an update. The attack vector here is Word documents attached to an email or otherwise delivered to a user’s computer," he said on the MSRC blog. "The user would have to open it first for anything to happen. That information isn’t meant to say the issue isn’t serious, it’s just meant to clearly denote the scope of the threat."
Toulouse said that the malicious emails tend to arrive in bunches, with fake domains similar to the actual domains of the targets.
Symantec warned PC users last week about activity surrounding the flaw, including malicious PowerPoint slides and Excel charts, a trojan called Backdoor.Ginwui and a malicious Word document called Trojan.Mdropper.H.
The exploits caused Symantec to raise its ThreatCon level to Level 2 (Level 1 is the lowest, and Level 4 is the highest).
Vendor F-Secure called threats from DOC files "a nasty attack vector."
"Five years ago, when macro viruses were the No. 1 problem, many companies were not allowing native DOC files through their email gateways," said Mikko Hypponen, chief research officer at the Helsinki-based firm. "Now that has changed, and DOCs typically get through just fine. But Word has vulnerabilities and users typically don’t install Word patches nearly as well as Windows patches."