Storms didn't have any ideas on why IE10 was not affected. "I have no insight or good guesses as to what about IE10 makes it special," he said.
He recommended that Microsoft customers apply the IE update as soon as possible. "It's almost always 'IE first,'" he said. "Then, no question — apply that Word fix pronto."
Bulletin 1, the update that will patch Word, will also affect SharePoint Server 2010 and SharePoint Server 2013, the collaboration software many enterprises have deployed to support Office. Because SharePoint Server runs a service called "Word Automation Services," which automatically opens documents in several formats, including RTF, it could also be exploited, potentially spreading attack code throughout a company.
"This sounds like a pretty interesting possible attack vector," observed Storms. "Aren't we always told not to just automatically open everything we get?"
Microsoft will release the security updates on April 8 around 1 p.m. ET.
Sign up for CIO Asia eNewsletters.