Hackers have released an exploit targeting a third unpatched vulnerability in Microsoft Word. The flaw is different from the two previous Word vulnerabilities reported earlier this month, US CERT helpfully explains (http://www.us-cert.gov/current/current_activity.html#mswd3vl).

This time around we're dealing with a memory corruption flaw that might be exploited providing users are tricked into opening a malformed Word document to either crash - or load malware onto - vulnerable PCs running Word. Attack code was available at Milw0rm.com, so the potential for mischief is high.

Pending a patch for Microsoft against the trio of unpatched bugs currently at large, US-CERT recommends users to avoid untrusted Word documents or attachments from unsolicited email messages and to use updated anti-virus packages as a way of mitigating the risk of attack. In an echo of Microsoft's advice when the first of these security bugs came out little over a week ago (on December 6) the security clearing house further advises punters not to open unfamiliar or unexpected email attachments, even if sent by a trusted source. ®

Related stories

• Zero day Word flaw exploited by Trojan (9 July 2008)

  http://www.channelregister.co.uk/2008/07/09/zero_day_word_flaw/

• Click here to turn your HP laptop into a brick (21 December 2007)

  http://www.channelregister.co.uk/2007/12/21/hp_laptop_brick_exploit/

• MS Explorer foundering after UFO strike (23 November 2007)

  http://www.theregister.co.uk/2007/11/23/ms_explorer_ufo_sinking_ship_not_software/

• Microsoft zero-days said to target Office and Windows (11 April 2007)

  http://www.channelregister.co.uk/2007/04/11/new_microsoft_zerodays/

• Malware: Windows is only part of the problem (10 January 2007)

  http://www.channelregister.co.uk/2007/01/10/secure_software_intro/

• IE 'unsafe' for 284 days last year (5 January 2007)

  http://www.channelregister.co.uk/2007/01/05/ie_unsafe/

• Security firm erects threat-level aggregator (2 January 2007)

  http://www.channelregister.co.uk/2007/01/02/threat_level_aggregator/

• All I want for Christmas... (20 December 2006)

  http://www.channelregister.co.uk/2006/12/20/security_wish_list/

• Trojan targets unpatched Word flaw (again) (11 December 2006)

  http://www.channelregister.co.uk/2006/12/11/0-day_word_flaw/

• eEye launches 0-day tracker site (7 December 2006)

  http://www.channelregister.co.uk/2006/12/07/0day_tracker/

• Unpatched Word flaw menaces civilisation (6 December 2006)

  http://www.channelregister.co.uk/2006/12/06/unpatched_word_flaw/

• Patch Tuesday omits critical Word fix (14 September 2006)

  http://www.channelregister.co.uk/2006/09/14/ms_patch_tuesday/

• Unpatched enterprise security bugs proliferate (24 August 2006)

  http://www.channelregister.co.uk/2006/08/24/0-day_manace/

• Flaw finders lay siege to Microsoft Office (22 July 2006)

  http://www.channelregister.co.uk/2006/07/22/bug_hunters_crawl_over_ms_office/

• MS June update fixes dangerous Word flaw (14 June 2006)

  http://www.channelregister.co.uk/2006/06/14/ms_june_patch_tuesday/

• MS advises users to play safe with Word (24 May 2006)

  http://www.channelregister.co.uk/2006/05/24/ms_word_security_workaround/

• CERT recommends anything but IE (28 June 2004)

  http://www.theregister.co.uk/2004/06/28/cert_ditch_explorer/