Microsoft said it's working on a fix for the zero-day vulnerability in Word that spooked security vendors last week, but likely won’t release a patch until June 13, the next regularly-scheduled monthly patch day.
The Microsoft Word bug first surfaced Friday, when numerous security companies, led by Symantec, said that an active exploit was using an unpatched vulnerability in Word 2003 and Word XP to drop a backdoor Trojan onto a limited number of PCs. Once in place, the Trojan -- which uses rootkit techniques to infiltrate code into difficult-to-detect locations on the drive -- provides the attacker with command shell access to the PC, effectively hijacking the machine.
Friday and Saturday, Microsoft acknowledged the Word bug, said it was working on a fix, and downplayed the vulnerability.
"So far, this is a very limited attack, and most of our antivirus partners are rating this as 'low,' said Stephen Toulouse, program manager for Microsoft Security Response Center (MSRC), wrote on the MSRC blog Saturday.
Friday, Toulouse said that his team was working up a patch, which had already moved into testing, and would release with the June update, "or sooner as warranted."