On Tuesday, one day after the December monthly patch release, Microsoft reported that it is investigating a possible security flaw involving the text editor WordPad. The security vulnerability is apparently caused by WordPad’s Text Converter for Word 97 files.

Security researcher at Symantec Corporation Elia Florio pointed out that the security flaw is generated by a function that frees a region of the heap memory, allowing attackers to gain acces to the EAX register through an Unicode URL that includes the “0x0A0A” value. Yet, Florio stated that JavaScripit is needed to generate an infectious code execution and, therefore, “blocking JavaScript for untrusted Web sites could help to somewhat mitigate the risk."

Microsoft Security Advisory reported that only 2000 Service Pack 4, Windows XP Service Pack 2, Windows Server 2003 Service Pack 1, and Windows Server 2003 Service Pack 2 operating systems are likely to be infected in this manner. The Security Advisory stated that Windows XP SP3, Windows Vista and Windows Server 2008 are not affected by the issue, as these operating systems don’t contain the vulnerable code. Microsoft issued a disclaimer in which they state that they are investigating the vulnerability and also that there are little attacks that could use this vulnerability.

The good news is that the vulnerability cannot be exploited automatically. The only way users could be affected is by opening e-mail attachments containing the malicious code, according to the Microsoft Security Advisory. The Redmond giant will issue a service pack, a security bulletin or even an out-of-cycle update if the situation aggravates.