Microsoft Word vulnerability prompts advisory

Users of an older version of Microsoft Word could have their computers compromised after downloading and opening a specially crafted .doc file, according to an advisory issued late Tuesday.

Microsoft said only limited and targeted attacks have so far attempted to use this vulnerability against systems running Microsoft Word 2002 SP3.

To become infected, a vulnerable user would have to open a specially crafted .doc document. An attacker using this vulnerability would then have the same user rights as the victim. If a victim were running as administrator, the attacker would gain full access to the compromised PC.

Attacks such as this are often used against corporations and government sites as a means of gaining access to desktop computers inside the security perimeter and, eventually, to its networks shares.

In a press release, Microsoft's security response communications manager Bill Sisk said Microsoft could issue an update as part of its monthly Patch Tuesday program, or, if the situation warrants, it could issue an out-of-cycle update. At the moment, Microsoft is still investigating the matter. "Security advisories address security changes that may not require a security bulletin but may still affect customer's overall security."

Only users of Microsoft Office Word 2002 SP3 are affected. Not affected are users of Microsoft Office Word 2000 Service Pack 3, Microsoft Office Word 2003 Service Pack 2 and Microsoft Office Word 2003 Service Pack 3, Microsoft Office Word 2007 and Microsoft Office Word 2007 Service Pack 1, Microsoft Office Word Viewer 2003 and Microsoft Word Viewer 2003 Service Pack 3, Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats and Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats Service Pack 1, Microsoft Office for Mac 2004, and Microsoft Office for Mac 2008.