[Steve]

Microsoft warned MS Office users on Friday that some customers have reported attacks using Microsoft Word and a previously unknown vulnerability in Microsoft's Jet database engine. Microsoft's Jet Database Engine provides data access to applications such as Microsoft Access, Microsoft Visual Basic, and many third party applications

The attack uses an e-mail message with two attachments - a Word file and a Microsoft Jet database file. Microsoft is investigating whether other programs could also be used. Microsoft says that its database files (.mdb) should be considered unsafe, and though they do not execute automatically, under the attack conditions described in the latest information released the database files does execute, potentially executing malicious code.

To mount a Web-based attack, an attacker would host a Web site containing a specially crafted Word file that is then used to attempt to exploit this vulnerability. An attacker would have to persuade users to visit the Web site, typically by getting them to click a link in an e-mail message or Instant Messenger message that takes users to the attacker's site.

Microsoft advises that people using Windows Server 2003 Service Pack 2, Windows Vista, and Windows Vista Service Pack 1 are not vulnerable, however, people using Microsoft Word 2000 Service Pack 3, Microsoft Word 2002 Service Pack 3, Microsoft Word 2003 Service Pack 2, Microsoft Word 2003 Service Pack 3, Microsoft Word 2007, and Microsoft Word 2007 Service Pack 1 on Microsoft Windows 2000, Windows XP, or Windows Server 2003 Service Pack 1 are vulnerable to these attacks.

Microsoft may include a security update through our monthly release process or through an 'out-of-cycle' security update.