Microsoft has warned its Word software is vulnerable to a newly discovered dangerous bug – which is being exploited right now in “limited, targeted attacks” in the wild. There is no patch available at this time.
The flaw is triggered by opening a maliciously crafted RTF document in the Microsoft Office word processor, or opening it via Outlook, and allows the attacker to execute arbitrary code on the machine.
The hole was disclosed by Microsoft on Monday outside the monthly Patch Tuesday cycle. Opening a poisoned Rich Text File (RTF) document allows the attacker to hijack the PC with the same privileges as the logged-in user.
Microsoft has warned that attackers are exploiting a previously unknown security hole in Microsoft Word that can be used to foist malicious code if users open a specially crafted text file, or merely preview the message in Microsoft Outlook.
“Microsoft is aware of a vulnerability affecting supported versions of Microsoft Word,” the company advised in a notice published on Monday.
To be clear, Microsoft said the exploits it has seen so far attacking this vulnerability have targeted Word 2010 users, but according to Microsoft’s advisory the flaw is also present in Word 2003, 2007, 2013, Word Viewer and Office for Mac 2011.
Microsoft said it is working on an official fix for the flaw, but in the meantime affected users can apply a special Fix-It solution that disables the opening of RTF content in Microsoft Word.
The Microsoft advisory didn’t say exactly who was being subjected to the attacks. The term “targeted attacks” is typically used to describe hacks that are directed against a specific individual or group of individuals, often as part of espionage campaigns targeting corporations or government agencies.