Microsoft on Friday warned of a new electronic attack that exploits a known vulnerability in the Jet Database Engine that is utilized by various Microsoft Office applications. The exploit that's now making the rounds via email attachment is a maliciously formatted Word document.

"Microsoft is investigating new public reports of very limited, targeted attacks using a vulnerability in the Microsoft Jet Database Engine that can be exploited through Microsoft Word," a Microsoft security advisory adds. "Customers running Windows Server 2003 Service Pack 2 (SP2), Windows Vista, and Windows Vista Service Pack 1 (SP1) are not vulnerable to the buffer overrun being attacked, as they include a version of the Microsoft Jet Database Engine that is not vulnerable to this issue."

That good news aside, a number of Windows versions are vulnerable to this attack, including Microsoft Windows 2000, Windows XP, or Windows Server 2003 SP1. Affected versions of Word include Word 2000 Service Pack 3 (SP3), Microsoft Word 2002 SP3, Microsoft Word 2003 SP2, Microsoft Word 2003 SP3, Microsoft Word 2007, and Microsoft Word 2007 SP1. A successful exploit would require the user to be using an affected version of Windows in tandem with an affected version of Word, Microsoft says.

Microsoft is working on a fix for this vulnerability, which it will release either at the next regularly schedule "patch Tuesday" or separately as an out of band update. The company is also investigating whether other applications can be exploited. In the meantime, Microsoft recommends that customers exercise caution when opening attachments via email or instant messaging. Those that believe they have been attacked are advised to contact both Microsoft and national law enforcement officials.

Security experts at Symantec have also issued a warning about this issue, noting that the primary means of attack is social engineering; i.e. causing an unsuspecting user to open a maliciously formatted Word document. "The lesson from this story is to be always vigilant and suspicious when receiving file attachments of any type, even when the attachments are non-executable formats, such as Microsoft Office files," a Symantec blog post reads.

Microsoft Security Advisory (950627)
http://www.microsoft.com/technet/security/advisory/950627.mspx