Microsoft is investigating another flaw in Microsoft Word that is reportedly being used in targeted attacks against its customers, the software giant stated in an advisory published late Friday.

The flaw, which appears to only affect Microsoft Word 2000, is being used by a Trojan horse, MDropper.W, according to security firm Symantec, the owner of SecurityFocus. The company described the flaw on Thursday, and the following day, Microsoft released its own advisory.

"In order for this attack to be carried out, a user must first open a malicious Word file attached to an e-mail or otherwise provided to them by an attacker," a Microsoft spokesperson said in an e-mail statement sent to SecurityFocus.

The flaw is the fourth vulnerability in Microsoft Word that remains unpatched. In December, targeted attacks used a flaw in Word 2000 to install software onto a victim's PC, and neither that flaw nor two previously discovered flaws were fixed by Microsoft in January. The company's Office productivity suite came under attack in 2006, with more than 10 times more flaws discovered last year than in 2005. The target Trojan horse attacks that typically use Office flaws to install malicious software have increased over the last year, according to security researchers.

Office 2007, paired with Windows Vista, will likely eliminate the danger from most of the attacks. Microsoft plans to launch both the operating system and the suite of applications in New York on Monday.

Microsoft did not announce a time table for patching the latest Word 2000 flaw, nor the three previous issues.

securityfocus.com