Microsoft is investigating reports of a flaw in the WordPad Text Converter for Word 97 files, the company said on Tuesday.
A Microsoft blog states: "We are aware of very limited and targeted attacks seeking to exploit this vulnerability."
On Wednesday, security researchers reported finding a zero-day flaw affecting Internet Explorer 7.
According to Microsoft security advisory 960906, the WordPad flaw only affects users of Windows 2000 Service Pack 4, Windows XP Service Pack 2, Windows Server 2003 Service Pack 1 and Windows Server 2003 Service Pack 2. This issue does not affect Windows XP Service Pack 3, Windows Vista and Windows Server 2008.
When Office Word is installed, Word 97 documents are set by default to open using Office Word. Microsoft said Word is not affected by this vulnerability. However, an attacker could rename any malicious file to have a Windows Write (.wri) extension; the malicious file could invoke WordPad. An attacker who successfully exploited this vulnerability could gain the same user rights as the local user.
The flaw cannot be exploited automatically through email, however. For an attack to be successful, a user must open an email attachment. Microsoft noted that the .wri file type can be blocked at the internet perimeter.
Microsoft issued its standard disclaimer, stating that it is investigating the issue and would act upon completion of that investigation. Among the solutions, Microsoft could issue a service pack, include a bulletin in its next monthly security update, or issue an out-of-cycle security update, depending on the severity of the issue.
Talkback
Defend against the zero-day issues by using Application Control.
What is it?
By employing a whitelist approach, Application Control enables only authorised applications to run on a network, laptop or PC.
So in this case, the zero-day code is unauthorised and will not execute.