Second Word Zero-Day Exploit Steals PasswordsSecond Word Zero-Day Exploit Steals Passwords

Microsoft has acknowledged another unpatched Microsoft Word bug, the second zero-day in six days, and confirmed that the vulnerability is being exploited by attackers.

The newest flaw, said Scott Deacon of the Microsoft Security Response Center, is unrelated to the vulnerability disclosed last Tuesday, which also has been leveraged by attackers. "From the initial reports and investigation we can confirm that the vulnerability is being exploited on a very, very limited and targeted basis," wrote Deacon on the MSRC's blog. A successful attack, which would require a user to open a Word document attached to a malicious e-mail or download a Word file from a Web site, could completely compromise the PC.

Word 2000, 2002, 2003, and Word Viewer 2003 are affected by the newest bug, added Deacon, although the just-released Word 2007 is not. Microsoft did not say whether the Mac versions of Word, which are susceptible to attack by last week's bug, are also impacted by this new flaw.

McAfee reported that it has spotted attackers planting a password-stealing Trojan horse -- "PWS-Agent.g" -- using the newest Word exploit. The Trojan loots passwords from Internet Explorer, Firefox, and POP3 e-mail clients. Danish vulnerability tracker Secunia, meanwhile, ranked the second Word bug as "extremely critical," the same top-of-the-chart label as last week's flaw.

According to Microsoft's advance notice of the patches it plans to release Tuesday, neither of the Word flaws will be fixed in December. Microsoft issues out-of-cycle security updates only infrequently; it has done so only twice thus far during 2006.