[ISN] Microsoft advises users to switch Word to 'safe mode'

From: InfoSec News (isn@private)
Date: Thu May 25 2006 - 00:40:09 PDT


By James Niccolai
May 24, 2006 

Microsoft Corp. is advising Word users to run the application in "safe
mode" to help guard against a Trojan program that surfaced recently,
although security experts today said there still appears little cause
for alarm.

"The good news is that it doesn't seem to be very widespread," said
Graham Cluley, a senior technology consultant with U.K. antivirus
company Sophos PLC. "There have been very, very few reports."

Researchers at F-Secure Corp. and Trend Micro Corp. also said the
number of reported incidents remained low. Trend Micro rates the
Trojan as "low risk" because, while the potential for damage is high,
the impact so far has been small, said David Sancho, a senior
antivirus engineer.

The Trojan surfaced last Thursday and arrives buried in a Word file
attached to an e-mail message (see "E-mail attacks target unpatched
Word hole" ). It secretly installs software on a user's PC that could
be used to execute remote commands, download other malware or monitor
keystrokes and gather passwords, among other mischief.

For the Trojan to do its work, however, users must first be tricked
into opening the Word attachment. And the incidents reported so far
suggest that hackers are still using the Trojan in a very targeted
fashion rather than sending it in mass e-mail, said Erkki Mustonen, a
security researcher at F-Secure.

The Finnish vendor received reports from a handful of European
companies affected last week that were all in the same business area,
Mustonen said. He declined to name the industry. The company received
a few more reports this week but "it seems to be pretty calm," he

The number of hacker groups using the Trojan appears quite small at
this point, Mustonen said. "It seems they have been written by expert
people," he said.

He advised businesses to monitor any suspicious traffic coming from
China in their firewall. The Trojan may not have originated there, but
it appears at least to be talking to a host server in that country, he

Microsoft's Security Research Center is analyzing the vulnerability,
which affects Microsoft Word XP and Word 2003. The company said it
will release a patch with its next regular update, due June 13, or
earlier if necessary.

In the meantime,Word's safe mode won't fix the vulnerability but will
prevent the vulnerable code from being exploited, Microsoft said.

The first step is to disable the Outlook feature that uses Word for
editing e-mails. The second involves creating a new desktop shortcut
that adds "/safe" to the Word command line. Detailed instructions are
available online.

"For the sake of security I'd recommend doing it, even though it's a
bit difficult," Sancho of Trend Micro said.

In safe mode, Word ignores toolbar customizations, changes to
preferences can't be saved and functions such as AutoCorrect and Smart
tags are disabled.

Copyright 2006 ITworldcanada.com.

Attend the Black Hat Briefings and
Training, Las Vegas July 29 - August 3
2,500+ international security experts from 40 nations,
10 tracks, no vendor pitches.

This archive was generated by hypermail 2.1.3 : Thu May 25 2006 - 00:47:27 PDT