Microsoft has warned about a new, unpatched memory corruption hole in Word that has already been targeted by hackers.
The bug can be exploited by adding a string of characters in a Word file that corrupt a PC's memory and allow an attacker to run unauthorised software on the system, Microsoft said in a security advisory.
The bug affects Word 2000, 2002, and 2003, the Word Viewer 2003 and several versions of Microsoft Works. It has been rated critical but most worryingly, Microsoft said it was investigating reports of "limited" attacks that exploit the hole.
Since automatic security updates have become commonplace, attackers have focused more on developing attacks that leverage this kind of unpatched "zero day" hole in the software. The trend has forced Microsoft to produce a growing number of software updates in recent months.
In particular, hackers turned their attention to Microsoft's Office products, which some researchers consider to be a more fruitful source of bugs than the Windows operating system. "Cyber criminals know that zero-days are very vulnerable and can be used to make lots of money," said Cesar Cerrudo, chief exec of security research firm Argeniss. These vulnerabilities can be exploited to install spyware or dangerous Trojan horse programs, or to add the victim's computer to a network of compromised PCs, called a botnet, which can then be used to send out spam or attack other systems, he said.
Microsoft's next set of security updates is due on 12 December.