An unpatched flaw in the Windows 2000 version of Microsoft Office 2000 is being used by attackers to run unauthorised software on a victim's computer, according to security firm Symantec.
Microsoft has confirmed that the bug exists, but it would not say when it plans to fix the problem.
The critical vulnerability was first reported by Symantec to users of its DeepSight threat notification service. Attackers are exploiting the flaw by sending malicious Word documents to victims, Symantec said. When these documents are opened, Word is tricked into installing malicious software on the PC.
Symantec is calling this malware Trojan.MDropper.
Trojan.MDropper installs malicious software on the computer, which in turn installs another Trojan horse program "which turns out to be a new variant of Backdoor.Femo", Symantec said.
Symantec testers had not been able to exploit the problem on more up-to-date versions of Office or Windows. On Tuesday Microsoft said the bug was confined to Microsoft Word 2000.
Microsoft is investigating the issue and may issue a patch once that investigation is completed, according to the company's public relations agency.
Microsoft has spent a lot of time investigating and patching Office applications this year. Over the past few months there have been several reports concerning very targeted attacks, similar to this latest Office issue. Microsoft's most recent security updates have been filled with patches for Office flaws, many of which had already been used in attacks.