E-mail attacks target unpatched Word hole
May 19, 2006
Antivirus companies and the SANS Internet Storm Center (ISC) issued a warning today about sophisticated e-mail attacks that are using a previously unknown hole in Microsoft Word 2003 to infiltrate corporate networks. Symantec raised its Internet threat rating, citing confirmation that attacks using an unknown hole in Microsoft Word are being used to compromise computers on the Internet.
Symantec warned subscribers to its DeepSight Threat Management Service that it had confirmed reports of active exploitation of a hole in Microsoft Word 2003. The attacks use Word document attachments in e-mail messages to trigger the security hole and run code that gives attackers control over vulnerable systems, Symantec said.
Currently, these attacks are coming from China and Taiwan and most are in Chinese but some are showing up in English. All are being targeted at corporate networks at this time, but that may change in the near future. Corporations typically transfer Word documents between departments and divisions, so their employees are not averse to opening .doc attachments.
Microsoft Word and other Office applications are a good target, because they are seen everywhere on corporate computers, and because companies often patch them far less frequently than the Windows operating system itself. It is for this reason the Microsoft introduced Microsoft Update Service (MUS). When you login to the Windows Updates on a Windows 2000 or XP machine you will see a link to try Microsoft Updates. I recommend that if you have Office products on that computer you should install ("Try It") the Microsoft Update Service. It will audit your computer for all Microsoft products that are installed and will make patches available as critical patches, just like it does with Windows Updates.
A word of warning, if your copy of Office is unlicensed or pirated they will eventually find out and deny any further downloads until you obtain a vaild license.
NOTE: In order to exploit this flaw in MS Word the user must be logged on with Administrator level privileges. People who log on and operate as Limited Users are immune to this vulnerability. This applies to spyware and virus acquisions as well. Virtually every known type of malware requires Administrator privileges to infect a PC. By simply running your daily browsing and email activities as a Limited User you mitigate the possibility that you will unknowingly acquire a malware infection from being online.
Caution still must be exercised because it is possible for downloaded viruses and malware to become active if you logon to an administrative account and inadvertantly allow them, or be tricked into allowing them to be installed.
Microsoft Security Advisory (919637)
Vulnerability in Word Could Allow Remote Code Execution
Published: May 22, 2006
Microsoft is investigating new public reports of limited “zero-day” attacks using a vulnerability in Microsoft Word XP and Microsoft Word 2003. In order for this attack to be carried out, a user must first open a malicious Word document attached to an e-mail or otherwise provided to them by an attacker. Microsoft will continue to investigate the public reports to help provide additional guidance for customers as necessary.
Microsoft is completing development of a security update for Microsoft Word that addresses this vulnerability. The security update is now being finalized through testing to ensure quality and application compatibility and is on schedule to be released as part of the June security updates on June 13, 2006, or sooner as warranted.
Microsoft is concerned that this new report of a vulnerability in Word was not disclosed responsibly, potentially putting computer users at risk. We continue to encourage responsible disclosure of vulnerabilities. We believe the commonly accepted practice of reporting vulnerabilities directly to a vendor serves everyone's best interests. This practice helps to ensure that customers receive comprehensive, high-quality updates for security vulnerabilities without exposure to malicious attackers while the update is being developed.
There are several possible workarounds listed on the Microsoft Advisory page. If these workarounds are applied users will not be able to use Word as their Email-Editor or use Rich Text by default to read their e-mail.
Using Word in Safe Mode helps protect the affected system from attempts to exploit this vulnerability.
All versions of Word have an application recovery feature that allows running Word in Safe mode. Safe mode disables the functionality and prevents vulnerable code from being exploited. Full set of limitations can be found at: http://office.microsoft.com/en-us/assistance/HP030823931033.aspx
If you like this article please share it.
The content on this blog may be reprinted provided you do not modify the content and that you give credit to Wizcrafts and provide a link back to the blog home page, or individual blog articles you wish to reprint. Commercial use, or derivative work requires written permission from the author.