Microsoft has confirmed that criminals are e-mailing Word attachments that contain malicious code, with two vulnerabilities in the ubiquitous word-processing software now being exploited.

The separate acknowledgements of the two flaws came about a week apart. Both flaws put users at risk. In the most recently reported vulnerability, a zero-day flaw, an attacker can run unauthorized software on a victim’s machine simply by having the message’s recipient open a Word document.

The vulnerability has been rated “extremely critical” by security firm Secunia because of its potential danger to users.

A similar bug was reported last week. According to Microsoft, neither bug will be patched in the latest round of software updates, known as Patch Tuesday. Microsoft has noted that both flaws are being exploited only on a very limited and targeted basis.

Office Mate

Over the past year, hackers have been increasingly interested in finding flaws in Microsoft’s Office suite. The popularity of applications like Excel and PowerPoint have led attackers to find flaws in those programs because they can reach such large numbers of users.

The recent Word flaws runs the gamut of major versions of the software — including Word 2000, Word 2002, Word 2003, and Word Viewer 2003 — but does not affect Word 2007.

In an advisory, Microsoft noted that the most recent vulnerability is different from the other Word flaw found last week, also a zero-day vulnerability for which there is no patch, but did not go into specifics.

“Do not open or save Word files that you receive from untrusted sources or that you receive unexpectedly from trusted sources,” Microsoft warned.

Patch Work

Although Microsoft has drawn criticism in the blogosphere for not being speedier with a patch for the problems, Secunia Chief Technology Officer Thomas Kristensen noted that fixing a flaw like this in a program as popular as Word might take some time.

“These patches are not always straightforward,” he said, adding that first Microsoft has to analyze and confirm the problem, then examine the code before creating a fix to change the code behavior.

After creating the patch, the company has to conduct several tests globally, given Word’s prevalence in the marketplace. “Unfortunately, all of this takes time, but it’s necessary,” Kristensen said. “In the meantime, customers are vulnerable.”

Secunia is recommending that users be particularly diligent about not opening attachments from people they do not know.

“The good news is that the distribution has been limited, so that makes widespread infection less likely,” said Kristensen. “Then again, we’re talking about criminals, and you don’t know where they’re going to surface next time.”

No-swipe credit cards that use radio waves to relay their data put consumers at increased risk of identity theft, Sen. Charles Schumer (news, bio, voting record) said Sunday.

“These cards may be convenient, but they’re a double-edged sword,” said Schumer, D-N.Y.

Tens of millions of no-swipe credit cards have been issued in the past year. When a customer uses the credit card to make a purchase, the card is processed by a radio frequency identification reader operated by the retailer.

Schumer said thieves can equip themselves with the radio frequency readers to steal information from the credit cards, which are being marketed heavily as time savers.

“All you need to be is within a couple of feet of the customer,” Schumer said. “You may as well put your credit card information on a big sign on your back.”

But JPMorgan Chase & Co., the nation’s second-largest financial services provider and its premier credit card issuer, has maintained the no-swipe method provides the same level of security as the traditional swiping method, which involves reading a magnetic strip on the back of the card. The cards use encrypted data, it said.

“The card and the reader in the terminal are safe and secure, and the transaction is handled the same way that credit cards are managed today,” Thomas O’Donnell, senior vice president of Chase cards services, said when the company announced the launch of its blink cards last year.

Schumer, who held a news conference on a busy Manhattan street corner Sunday amid holiday shoppers, called for regulations to require higher encryption standards that would make the cards more secure.

In addition, Schumer said contracts for the no-swipe credit cards should have warning boxes disclosing “the known weaknesses of the technology.”

“Holiday shoppers need to be extremely careful with their credit cards,” he said, “and these companies need to step up their efforts to protect people from identity theft.”

A telephone call to Visa International Inc., the nation’s largest credit card brand, wasn’t immediately returned