There exists another vulnerability (of sorts) within Microsoft Word that is actively being exploited for espionage and surveillance purposes. What is happening is that a Unicode reference to the INCLUDEPICTURE field can include a hyperlink to an external image or file, like a PHP script on a remote server. This is an OLE2 (Object Linking and Embedding) directive, first introduced in Office 2007.
So without the need for executable code, scripts, or contaminated document objects, your PC can fork over valuable system hardware and software information. At present, this is being used for information gathering purposes only; suggesting a precursor for an attack campaign. This bug exists in all versions of Office since 2007, including the Apple and Android versions.
Generally speaking, keep a tight reign on Office documents. People who continue to Email Office documents around will get burned. This is not a question of “if“, but of “when“.
Kaspersky’s ThreatPost has an interesting write-up on this issue here.