Zero-day attack strikes Office

A new, yet-to-be-patched security hole in Word is being used in targeted cyber attacks, Microsoft has warned.

When a user opens a rigged Word file, it may corrupt system memory in such a way that an attacker could gain complete control over the PC, Microsoft said in a security advisory. Office 2000 and Office XP are at risk, the company said. The two recent versions, Office 2003 and 2007, are not affected.

As with most of the Office vulnerabilities, an attacker would have to trick a user into opening a malicious file to be successful. The vulnerability is being exploited in "very limited, targeted attacks", Microsoft said. A security update to repair the problem is in the works, it added.

Word of the new flaw came a day after Microsoft released updates for nine other Office-related vulnerabilities. Five of them were zero-day flaws, or security holes that have been publicly disclosed but not fixed.

Security experts have said that limited-scale attacks are the most dangerous. Widespread worms, viruses or Trojan horses sent to millions of mailboxes are typically not a grave concern, because they can be blocked. But targeted Trojan horses, especially those aimed at specific businesses, have become nightmares as they can fly under the radar.

Cyber crooks have found that they can take advantage of Microsoft's security update cycle by timing new attacks right before or just after "Patch Tuesday" - the second Tuesday of each month when the software maker releases its fixes. Some security watchers have coined the term "zero-day Wednesday" to describe that strategy.

Joris Evers writes for CNET News.com