Trojan targets unpatched Word flaw (again)

Microsoft has warned of another unpatched vulnerability in Word. The unspecified code execution flaw means hackers can load malware onto targeted machines providing users are tricked into opening maliciously constructed Word files.

The latest vulnerability in Microsoft's ubiquitous Office application software follows the discovery of a similar - also unpatched - memory corruption bug in Word last week. That flaw affected Mac as well as Windows versions of Word, whereas "this week's bug" is limited to Word 2000, 2002, 2003, and Word Viewer 2003. Both flaws are being exploited in low-intensity Trojan attacks.

As a result of these attacks, Microsoft advises users "not [to] open or save Word files that you receive from un-trusted sources or that you receive unexpectedly from trusted sources". This a pretty strict injunction - which labels the common practice of sending document files by email as inadvisable - at least until Microsoft releases patches to address the flaws.

Unfortunately, Microsoft confirmed last week that this will not happen on its next Patch Tuesday, 12 December, which will see five security patches for Windows (at least one of which is critical) but no Office updates. Word users are unlikely to see a patch until the new year. ®