Microsoft has confirmed that criminals are e-mailing Word attachments that contain malicious code, with two vulnerabilities in the ubiquitous word-processing software now being exploited.

The separate acknowledgements of the two flaws came about a week apart. Both flaws put users at risk. In the most recently reported vulnerability, a zero-day flaw, an attacker can run unauthorized software on a victim’s machine simply by having the message’s recipient open a Word document.

The vulnerability has been rated “extremely critical” by security firm Secunia because of its potential danger to users.

A similar bug was reported last week. According to Microsoft, neither bug will be patched in the latest round of software updates, known as Patch Tuesday. Microsoft has noted that both flaws are being exploited only on a very limited and targeted basis.

Office Mate

Over the past year, hackers have been increasingly interested in finding flaws in Microsoft’s Office suite. The popularity of applications like Excel and PowerPoint have led attackers to find flaws in those programs because they can reach such large numbers of users.

The recent Word flaws runs the gamut of major versions of the software — including Word 2000, Word 2002, Word 2003, and Word Viewer 2003 — but does not affect Word 2007.

In an advisory, Microsoft noted that the most recent vulnerability is different from the other Word flaw found last week, also a zero-day vulnerability for which there is no patch, but did not go into specifics.

“Do not open or save Word files that you receive from untrusted sources or that you receive unexpectedly from trusted sources,” Microsoft warned.

Patch Work

Although Microsoft has drawn criticism in the blogosphere for not being speedier with a patch for the problems, Secunia Chief Technology Officer Thomas Kristensen noted that fixing a flaw like this in a program as popular as Word might take some time.

“These patches are not always straightforward,” he said, adding that first Microsoft has to analyze and confirm the problem, then examine the code before creating a fix to change the code behavior.

After creating the patch, the company has to conduct several tests globally, given Word’s prevalence in the marketplace. “Unfortunately, all of this takes time, but it’s necessary,” Kristensen said. “In the meantime, customers are vulnerable.”

Secunia is recommending that users be particularly diligent about not opening attachments from people they do not know.

“The good news is that the distribution has been limited, so that makes widespread infection less likely,” said Kristensen. “Then again, we’re talking about criminals, and you don’t know where they’re going to surface next time.”