Microsoft has confirmed that a vulnerability being used in a wide number of targeted zero-day attacks is an unpatched flaw in its Word program.
According to a post on Symantec’s Security Response blog by researcher Eric Chien, Microsoft has verified that the unspecified Code Execution Vulnerability (labeled CVE-2006-6456 by the software maker) is being used to deliver zero-day malware code by attackers.
Since the vulnerability remains unpatched, Symantec is advising users to be wary of opening any unsolicited Word documents that may be sent to them via e-mail.
On Tuesday, Symantec posted its initial report of the attacks that are exploiting the issue, which it named Trojan.Mdropper.X.
The security specialist said that while the documents being used in the targeted attacks are consistent with previous threats it has tracked, Symantec has received different documents using the exploit tailored to threaten a handful of different organizations.
Each of the malicious Word documents is designed to lure users within specific organizations into opening them, including through the use of unique language and content.
The company said the latest vulnerability represents the fifth known unpatched Office file format flaw currently identified by its researchers.