Microsoft has issued a security advisory to users of Office on Windows Vista. A newly-discovered vulnerability in Microsoft Office versions 2003 through 2010, when running on Windows Vista, is already being exploited by nefarious hackers.

If you are using Office 2003 to 2010 on Windows Vista, you should take steps to protect yourself until Microsoft releases a patch for this vulnerability:

• Install and use Microsoft’s Enhanced Mitigation Experience Toolkit (EMET)
• Install the related Microsoft ‘Fix-It’ (see Microsoft Knowledge Base Article 2896666).

This vulnerability also affects Office 2003 through 2010 running on Windows Server 2008, but you shouldn’t be running desktop applications on server software anyway, right?

The MSRC blog has more information, as does an Ars Technica post on the subject.

Update 2013Nov09: apparently attacks based on this vulnerability are more widespread than was originally estimated.