"Inside the document is an ActiveX control, and in that control is a line that makes it call out to the site that's hosting the malware," said David Marcus, the director of security research and communications for 's Avert Labs. "This is a pretty insidious way to attack people, because it's invisible to the eye, the communication with the site."

Embedding malicious ActiveX controls in Word documents isn't new -- Marcus said he had seen it "a time or two" -- but using an ActiveX control to ping a hacker's server for attack code is "definitely an innovation," he added. "They're stepping it up."

The rogue docments can be delivered as attachments to spam e-mail or offered up by hacked sites.

Attackers have been exploiting the IE bug , when reports first surfaced about malicious code found in the wild and on several Chinese hacker servers. McAfee was one of the first security companies to report the emerging exploit.

Since then, , then offered up a urging users to take protective steps until a fix was available.