A Word buffer overflow was just disclosed to the public by Microsoft. The advisory tries to put things in perspective so users know whether they are at risk, and what to do:

In order for this attack to be carried out, a user must first open a malicious Word file attached to an e-mail or otherwise provided to them by an attacker.

As a best practice, users should always exercise extreme caution when opening unsolicited attachments from both known and unknown sources.

Extreme caution? That must be just above high caution. Would that be a red, or maybe orange warning level? Good general advice, but not very confidence building. Imagine telling the driver of a car “use extreme caution while operating the vehicle as we have found something very wrong with the design of your brakes”…

What percentage of attachments are unsolicited? Probably a vast majority of them, I would say, with very little out-of-band confirmation as normal process. And there is no word (pun not intended) on how to reliably identify “malicious” Word files or “attackers” as a normal procedure either. If you scroll down to the more detailed “workaround” advice, you get the same update, worded only slightly different:

Do not open or save Word files that you receive from un-trusted sources or that you receive unexpectedly from trusted sources. This vulnerability could be exploited when a user opens a specially crafted Word file.

Maybe this could be rephrased into “only open or save Word files after confirming from trusted sources that they are safe”? Whitelisting seems easier to me than a fuzzy blacklist, but let’s just hope Microsoft has a patch soon.