Hackers have developed malicious code designed to exploit an unpatched vulnerability in Microsoft Word 2002 and 2003.

Maliciously-constructed Word documents containing the Mdropper-H Trojan have begun to circulate on the net in messages that pose as internal emails. The malware contains a number of objects (such as PowerPoint slides and Excel charts) along with Backdoor-Ginwui, which opens a back door that allows hackers to control compromised Windows PCs.

"This threat originated in Asia but is not spreading widely because it seems to be targeted at specific large organisations," Symantec Security Response senior director Vincent Weafer said. "Symantec has seen similar types of targeted attacks in the past which leveraged exploits in office applications, such as Word. This event illustrates the trend toward zero-day targeted attacks."

Microsoft says it is working on a patch designed to fix the underlying vulnerability in MS Word, though it's unclear when an update will be ready.

The SANS Institute has published an advisory on how to defend against Mdropper-H attacks. ®

Related stories

Unpatched Word flaw menaces civilisation (6 December 2006)
Another day, another zero-day MS exploit (28 September 2006)
Patch Tuesday omits critical Word fix (14 September 2006)
Trojan targets 0-day Word vuln (5 September 2006)
Flaw finders lay siege to Microsoft Office (22 July 2006)
French MoD questions OpenOffice security (20 July 2006)
When PowerPoint presentations attack (17 July 2006)
MS June update fixes dangerous Word flaw (14 June 2006)
Online attack holds files to ransom (31 May 2006)
MS advises users to play safe with Word (24 May 2006)
Cybercops and zero day vulns (24 April 2006)
Unofficial zero-day patches gain corporate support (4 April 2006)
Patches released for zero-day IE threat (29 March 2006)
UK.gov repels zero day WMF attack (24 January 2006)
Zero-day WMF flaw underscores patch problems (13 January 2006)
Zero-day holiday (5 January 2006)