These "zero-day" attacks use a vulnerability in Microsoft Word 2000, Microsoft Word 2002, Microsoft Office Word 2003, Microsoft Word Viewer 2003, Microsoft Word 2004 for Mac, and Microsoft Word v. X for Mac, as well as Microsoft Works 2004, 2005, and 2006.
In order for this attack to be carried out, a user must first open a malicious Word file attached to an e-mail or otherwise provided to them by an attacker.
As a best practice, users should always exercise extreme caution when opening unsolicited attachments from both known and unknown sources.
Until a security fix from Microsoft becomes available, US-CERT recommends that users follow the recommendations in Microsoft Security Advisory 929433 to help mitigate the security risks for all three Word vulnerabilities.
