Microsoft's five-month Office flaw exploited

A new Trojan horse exploits an unpatched flaw in Microsoft Office and could let an attacker commandeer vulnerable computers, security experts have warned.

The malicious code takes advantage of a flaw in Microsoft's Jet Database Engine, a lightweight database used in the company's Office productivity software. The security hole was reported to Microsoft in April but the company has yet to provide a fix for the problem.

In a statement sent via email on Friday, a company representative said: "Microsoft is aware that a Trojan recently released into the wild may be exploiting a publicly reported vulnerability in Microsoft Office." The software maker is investigating the issue and will take "appropriate action", the representative said.

The Trojan horse arrives in the guise of a Microsoft Access file, security software maker Symantec said in an advisory. When run on a vulnerable system, it would give a remote attacker full access to a compromised computer, Symantec said. The company calls the pest "Backdoor.Hesive" and notes that it is not widespread.

Although exploits had already been released in April when HexView publicly reported the flaw, the Trojan is believed to be the first actual threat to take advantage of the security hole. Security monitoring firm Secunia rates the issue "highly critical", one notch below its most serious rating.

Secunia said in its April advisory: "The vulnerability is caused due to a memory handling error when... parsing database files. This can be exploited to execute arbitrary code by tricking a user into opening a specially crafted '.mdb' file in Microsoft Access."

Symantec advises users to be cautious when opening unknown files. The security software maker lists all recent Windows releases as vulnerable to the Trojan attack.

Joris Evers writes for CNET News.com