The bug affects Vulnerability-related.DiscoverVulnerability all supported versions of Microsoft Word , but will be fixed Vulnerability-related.PatchVulnerability this week . Unlike most document-related vulnerabilities , this zero-day bug that has yet to be patched Vulnerability-related.PatchVulnerability does n't rely on macros -- in which Office typically warns users of risks when opening macro-enabled files . Instead , the vulnerability is triggered when a victim opens a trick Word document , which downloads a malicious HTML application from a server , disguised to look like Attack.Phishing a Rich Text document file as a decoy Attack.Phishing . The HTML application meanwhile downloads and runs a malicious script that can be used to stealthily install malware . Researchers at McAfee , who first reported the discovery Vulnerability-related.DiscoverVulnerability on Friday , said Vulnerability-related.DiscoverVulnerability because the HTML application is executable , the attacker can run code on the affected computer while evading memory-based mitigations designed to prevent these kinds of attacks . The issue relates to the Windows Object Linking and Embedding ( OLE ) function , which allows an application to link and embed content to other documents , according to researchers . The Windows OLE feature is used primarily in Office and Windows ' in-built document viewer WordPad , but has been the cause of numerous vulnerabilities over the past few years . The researchers recently focused a Black Hat talk on the Windows OLE attack surface . The bug can be exploited Vulnerability-related.DiscoverVulnerability on all versions of Office , including the latest Office 2016 running on Windows 10 , and have spotted attacks in the wild since January . A Microsoft spokesperson confirmed that the company will issue Vulnerability-related.PatchVulnerability a fix for the bug on Tuesday as part of its monthly release Vulnerability-related.PatchVulnerability of security fixes and patches .