A second security vulnerability has been discovered in Microsoft Word in less than a week.
The zero-day flaw, which is could let an attacker gain remote access to a person's system, affects Word 2000, Word 2002, Word 2003 and Word Viewer 2003, according to a Microsoft security advisory posted on Sunday night. Word 2007 is not affected, Microsoft said.
"From the initial reports and investigation, we can confirm that the vulnerability is being exploited on a very, very limited and targeted basis," Microsoft stated in its advisory.
Nonetheless, security provider Secunia said on Monday in the US that it is rating this latest Word security flaw as "extremely critical" because it is unpatched and because malicious attackers are currently exploiting the vulnerability.
In this case, attackers are taking advantage of a flaw that arises when an unspecified error occurs when processing a Word document, Secunia said in its advisory.
Microsoft noted that the vulnerability is different from the security flaw discovered in Word last week, which also is a zero-day problem. In order to activate that flaw, a person would need to open a malicious Word file that was hosted on a Web site or an attachment that arrives via e-mail.
The software giant is not expected to have patches available for the flaws when it issues its monthly round of security updates on Tuesday.
n-day exploits (as opposed to flaws) refer to the number of days since the vulnerability has been in circulation, and is an indication to crackers of the likelihood of the exploit being successful. If the exploit has been around for five days, it will be a five-day exploit.
Therefore it is incorrect to either of these flaws as a ‘zero-day flaw’, as exploits against these flaws have been in the wild for more than zero days.
It is somewhat disappointing that a technical journal such as ZDNet gets something as simple as this wrong.