Microsoft's products may be vulnerable to a security hole similar to one patched for the Mozilla browser last week.
MSN Messenger and Word both support a feature that could give remote users access to functions then used to launch applications, according to an alert from Secunia, which tracks software vulnerabilities.
A Microsoft spokeswoman said the company is investigating the reports, but is not aware of any attacks using the vulnerabilities. The applications both fail to restrict access to the "shell:" URI, a feature that allows Windows users or software applications to launch programs associated with specific file extensions such as .doc or .txt.
Malicious hackers could launch programs associated with specific extensions using links embedded in Word documents or instant messages sent using MSN. However, the vulnerability does not allow attackers to pass instructions to the programs, which would allow more sophisticated attacks, Secunia said.
On Thursday, the Mozilla Foundation issued patches for a similar flaw in Windows versions of its Web browsers, Firefox and Thunderbird, and the Mozilla Application Suite. News of the Mozilla flaws came amid increasing interest in alternative Web browsers after news broke about a number of serious security vulnerabilities in Explorer that were being used in stealthy Web-based attacks.
According to data compiled by WebSideStory, a San Diego Web measurement company, Explorer's share of the browser market dropped by one percent in the last month, the first noticeable decline since the company began tracking the browser market in late 1999.
On 2 July, Microsoft released a software update that disables a Windows component called Adodb.Stream, which was used in the Web attacks, and promised more updates for Windows and Explorer to address the security issues. If necessary, Microsoft could issue a fix for the MSN Messenger and Word flaws through its monthly software update process or an emergency patch, the company spokeswoman said.
The software giant expressed displeasure at the release of information on the product vulnerabilities, which were first publicised in the Full-Disclosure discussion list, a public online forum for those interested in computer software vulnerabilities.
"We continue to encourage responsible disclosure of vulnerabilities. We believe the commonly accepted practice of reporting vulnerabilities directly to a vendor serves everyone's best interests, by helping to ensure that customers receive comprehensive, high-quality patches for security vulnerabilities with no exposure to malicious attackers while the update is being developed," the company said.