The successful exploitation of the flaw would grant an attacker the same user rights as the local user. Microsoft posted an advisory on two possible attack scenarios:
– in a webmail-attack scenario, the user must open an attachment that is sent in an e-mail message. The vulnerability cannot be exploited automatically through e-mail.
– in a Web-based attack scenario, an attacker would have to host a Web site that contains a specially crafted Word file that is used to attempt to exploit this vulnerability. In addition, compromised Web sites and Web sites that accept or host user-provided content could contain specially crafted content that could exploit this vulnerability. An attacker could persuade users to visit the Web site, typically by getting them to click a link in an e-mail message or Instant Messenger message that takes users to the attacker’s site.
Microsoft promised to issue a fix for the flaw, but made no clear statement on whether will it release it as a standalone patch or as part of the monthly Patch Tuesday.