Microsoft has warned of another unpatched vulnerability (http://blogs.technet.com/msrc/archive/2006/12/10/new-report-of-a-word-zero-day.aspx) in Word. The unspecified code execution flaw means hackers can load malware onto targeted machines providing users are tricked into opening maliciously constructed Word files.

The latest vulnerability in Microsoft's ubiquitous Office application software follows the discovery of a similar - also unpatched - memory corruption bug in Word last week. That flaw affected Mac as well as Windows versions of Word, whereas "this week's bug" is limited to Word 2000, 2002, 2003, and Word Viewer 2003. Both flaws are being exploited in low-intensity Trojan attacks.

As a result of these attacks, Microsoft advises users "not [to] open or save Word files that you receive from un-trusted sources or that you receive unexpectedly from trusted sources". This a pretty strict injunction - which labels the common practice of sending document files by email as inadvisable - at least until Microsoft releases patches to address the flaws.

Unfortunately, Microsoft confirmed (http://www.microsoft.com/technet/security/bulletin/advance.mspx) last week that this will not happen on its next Patch Tuesday, 12 December, which will see five security patches for Windows (at least one of which is critical) but no Office updates. Word users are unlikely to see a patch until the new year. ®

Related stories

Zero day Word flaw exploited by Trojan (9 July 2008)
http://www.theregister.co.uk/2008/07/09/zero_day_word_flaw/
Hackers go after Excel (17 January 2008)
http://www.theregister.co.uk/2008/01/17/0day_excel_bug_menace/
Exploit Wednesday follows Patch Tuesday Word update (11 October 2007)
http://www.theregister.co.uk/2007/10/11/exploit_wednesday/
Microsoft zero-days said to target Office and Windows (11 April 2007)
http://www.theregister.co.uk/2007/04/11/new_microsoft_zerodays/
Microsoft probes new Office vulnerability (15 February 2007)
http://www.theregister.co.uk/2007/02/15/office_vuln/
MS plans 'dirty dozen' patch release (9 February 2007)
http://www.theregister.co.uk/2007/02/09/ms_patch_tuesday_pre-alert/
MS January patch update omits critical Word fix (10 January 2007)
http://www.theregister.co.uk/2007/01/10/ms_jan_patch_tuesday/
MS culls Patch Tuesday litter (8 January 2007)
http://www.theregister.co.uk/2007/01/08/ms_trims_patch_tuesday/
IE 'unsafe' for 284 days last year (5 January 2007)
http://www.theregister.co.uk/2007/01/05/ie_unsafe/
Third unpatched vuln menaces Word (15 December 2006)
http://www.theregister.co.uk/2006/12/15/word_flaw_three/
Blogging to slide - PC TCOs too? (15 December 2006)
http://www.theregister.co.uk/2006/12/15/blogs_zenith_in_2007/
Three critical patches star in MS update (13 December 2006)
http://www.theregister.co.uk/2006/12/13/ms_patch_tuesday/
eEye launches 0-day tracker site (7 December 2006)
http://www.theregister.co.uk/2006/12/07/0day_tracker/
Unpatched Word flaw menaces civilisation (6 December 2006)
http://www.theregister.co.uk/2006/12/06/unpatched_word_flaw/
Patch Tuesday omits critical Word fix (14 September 2006)
http://www.theregister.co.uk/2006/09/14/ms_patch_tuesday/
Trojan targets 0-day Word vuln (5 September 2006)
http://www.theregister.co.uk/2006/09/05/ms_office_trojan/
Unpatched enterprise security bugs proliferate (24 August 2006)
http://www.theregister.co.uk/2006/08/24/0-day_manace/
Flaw finders lay siege to Microsoft Office (22 July 2006)
http://www.theregister.co.uk/2006/07/22/bug_hunters_crawl_over_ms_office/
MS June update fixes dangerous Word flaw (14 June 2006)
http://www.theregister.co.uk/2006/06/14/ms_june_patch_tuesday/
MS advises users to play safe with Word (24 May 2006)
http://www.theregister.co.uk/2006/05/24/ms_word_security_workaround/
CERT recommends anything but IE (28 June 2004)
http://www.theregister.co.uk/2004/06/28/cert_ditch_explorer/