Hackers have exploited a previously unknown flaw in Microsoft Word to create an attack that infects users who simply preview a malicious Outlook email.
According to Microsoft, a successful attack using the vulnerability would give the hacker the same rights as the current user and allow remote code execution. The company warned that it had already seen Word 2010 targeted in the wild.
"The vulnerability could allow remote code execution if a user opens a specially crafted RTF file using an affected version of Microsoft Word, or previews or opens a specially crafted RTF email message in Microsoft Outlook while using Microsoft Word as the email viewer," Microsoft said in its security warning.
The company points out that Word is the default email reader in Outlook 2007, 2010 and 2013.
The flaw means the attack could be launched without the end user doing anything at all. "The issue is caused when Microsoft Word parses specially crafted RTF-formatted data causing system memory to become corrupted in such a way that an attacker could execute arbitrary code," the company said.
Microsoft said it was working on a fix for the issue and would release an "out of cycle" patch if necessary.
In the meantime, the company said users should use a "quick fix solution" of disabling RTF content in Word and has provided a "fix it" tool on its website for the job.
although successful attacks have so far only targeted Word 2010, the problem could be more widespread, security experts have warned. "It’s clear that the remote code execution flaw also exists in Microsoft Word 2003, 2007, 2013, as well as Office for Mac 2011," said security researcher Graham Cluley in a blog post.