At present time the attacks are “limited”, says Microsoft, and only affect Microsoft Office Word 2002 Service Pack 3, with other Office 2002 apps being stamped as “not vulnerable”.

The successful exploitation of the flaw would grant an attacker the same user rights as the local user. Microsoft posted an advisory on two possible attack scenarios:

– in a webmail-attack scenario, the user must open an attachment that is sent in an e-mail message. The vulnerability cannot be exploited automatically through e-mail.

– in a Web-based attack scenario, an attacker would have to host a Web site that contains a specially crafted Word file that is used to attempt to exploit this vulnerability. In addition, compromised Web sites and Web sites that accept or host user-provided content could contain specially crafted content that could exploit this vulnerability. An attacker could persuade users to visit the Web site, typically by getting them to click a link in an e-mail message or Instant Messenger message that takes users to the attacker’s site.

Microsoft promised to issue a fix for the flaw, but made no clear statement on whether will it release it as a standalone patch or as part of the monthly Patch Tuesday.