According to reports it would appear that Microsoft has confirmed the presence of a critical vulnerability which impacts upon users of MS Word for Windows 2000, XP and Server 2003 SP1. Shame it has taken many weeks for Microsoft to admit this, and only after a second security vendor recently discovered in the wild exploits.
The vulnerability exploits bugs in the Microsoft Jet Database Engine, Jet.dll, and Symantec has stated that the attacks have been described by its own Security Response team as using malicious Word 2000, 2002, 2003 and 2007 documents to call the Windows component.
Another security outfit, Panda, claims to have blogged about the vulnerability some three weeks back but accuse Microsoft of dismissing the in-the-wild-exploits reports by saying "they would not fix these mdb vulnerabilities" which researcher Ismael Briones reckons is part of some bizarre policy not to acknowledge vulnerabilities which are from .mdb files.
Indeed, to back up the claims, the report quotes an email response from Microsoft which states "You appear to be reporting an issue with a file type Microsoft considers to be unsafe. Many programs, such as Internet Explorer and Outlook, automatically block these files."