According to the Redmond company, the flaw affects the following versions: 2000 SP3, 2002 SP3, and 2003 SP3, as well as Microsoft Office 2004 for Mac. Office 2007 is not affected.
The vulnerability cannot be exploited automatically through e-mail. For an attack to be successful a user must open an attachment that is sent in an e-mail message.
In a Web-based attack scenario, an attacker would have to host a Web site that contains an Office file that is used to attempt to exploit this vulnerability. In addition, compromised Web sites and Web sites that accept or host user-provided content could contain specially crafted content that could exploit this vulnerability.
For the time being, Microsoft advises users to rely on the following workarounds so they wouldn’t be affected:
– Do not open or save Office files that you receive from un-trusted sources or that are received unexpectedly from trusted sources.
– Use the Microsoft Office Isolated Conversion Environment (MOICE) when opening files from unknown or untrusted sources
– Use Microsoft Office File Block policy to block the opening of Office 2003 and earlier documents from unknown or untrusted sources and locations