Microsoft is investigating new public reports of limited “zero-day” attacks using a vulnerability in Microsoft Word 2000.
Alexandra Huft, a member of Microsoft’s security team, said the Redmond, Wash.-based vendor posted Microsoft Security Advisory (932114) for an issue “that only affects Microsoft Word 2000.”
“We are currently investigating a report of a posting of proof of concept code which could allow an attacker to execute code on a user’s machine in their security context by convincing them to open a specially-crafted Word document,” Huft wrote in a posting to the company’s Web site on Friday.
Internet security firm Secunia reported the exploit on Friday and deemed it “extremely critical.”
Microsoft, however, minimized the potential impact of the exploit.
“We are aware of very limited, targeted attacks attempting to use the
vulnerability reported,” Huft wrote.
When Microsoft talks about “very limited, targeted attacks,” they specifically mean attacks carried out against a very small number of customers (sometimes only one or two even) or ones that are carried out in a very deliberate fashion against a specific organization or organizations.
They contrast this to attacks that affect a broad number of customers randomly.
In order for this attack to be carried out, a user must first open a malicious Word file attached to an e-mail or otherwise provided to them by an attacker.