A day after its December 9 Patch release, Microsoft Corp said it is investigating reports of a vulnerability in the WordPad Text Converter for Word 97 files and zero-day flaw affecting Microsoft Internet Explorer 7.

Elia Florio, a security researcher at Symantec, noted that the vulnerability is caused by a function that incorrectly frees a certain region of heap memory that allows an attacker to control the EAX register, with a specially crafted Unicode URL that includes the "0x0A0A" value in it.

Florio wrote in a blog that the attack "requires some JavaScript in order to use heap-spray techniques to achieve a reliable code execution; so, blocking JavaScript for untrusted Web sites could help to somewhat mitigate the risk."

According to Microsoft Security Advisory, only the users of Windows 2000 Service Pack 4, Windows XP Service Pack 2, Windows Server 2003 Service Pack 1, and Windows Server 2003 Service Pack 2 are affected by the flaw. Windows XP Service Pack 3, Windows Vista, and Windows Server 2008 are not affected because these operating systems do not contain the vulnerable code.

However, the flaw cannot be exploited automatically through e-mail. The advisory stated: "At this time, we are aware only of limited and targeted attacks that attempt to use this vulnerability. For an attack to be successful, a user must open an attachment that is sent in an e-mail message."

So far as the fixing of the issues is concerned, Microsoft has not offered details as to when patches or security updates would be available. Nonetheless, it has issued its standard disclaimer stating it is investigating the issue, and would act upon completion of that investigation.