[ISN] New Word Zero-Day Attacks Begin

From: InfoSec News (alerts@private)
Date: Wed Dec 06 2006 - 22:12:56 PST


By Gregg Keizer
Dec 6, 2006

Microsoft warned Mac and Windows users of its popular word processor 
Word that attackers are exploiting an unpatched flaw in the program's 
file format. A security research firm said the attacks will likely 
remain limited.

Tuesday, Microsoft posted a security advisory that acknowledged 
specially crafted Word documents could be used to seize a computer, and 
offered a defensive recommendation. "Do not open or save Word files that 
you receive from untrusted sources or that are received unexpectedly 
from trusted sources," Microsoft said in the advisory.

Word 2000, 2002, and 2003 are vulnerable, noted Microsoft, as are 
Microsoft Works 2004, 2005, and 2006 since those bundles also include 
Word, and Word Viewer 2003, a free-of-charge utility aimed at users who 
don't own Word but need to view and print documents in the program's 
native file format. Users of Word 2004 for Mac and Word 2004 v. X for 
Mac are also at risk.

"We're not seeing any widespread outbreak," says Vince Hwang, a group 
product manager with Symantec's security response team. "Instead, we 
expect that it will be used in targeted attacks against individuals."

Although Microsoft doesn't rate its advisories, others have pegged the 
new zero-day as critical. Danish vulnerability tracker Secunia, for 
example, labeled the new flaw as "extremely critical," the top-most 
ranking in its five-step scoring system.

Attackers could leverage the bug by enticing users to a malicious Web 
site and then convincing them to download and open a malformed Word 
document. More likely, however, would be e-mailed attacks; opening a 
malicious attachment could compromise the Mac or PC.

Microsoft is investigating, and as is its practice, said it might 
provide a patch but didn't specify a timeline. "Microsoft will take the 
appropriate action to help protect our customers [which] may include 
providing a security update through our monthly release process or 
providing an out-of-cycle security update." The company's next security 
updates are scheduled next week, Dec. 12.

This is the second major Microsoft Word zero-day exploit in 2006; in 
May, a Chinese-based attack hit one or more enterprises using another 
flaw in the Word file format. Microsoft patched that bug in mid-June.

"It's not clear whether this [attack] is being done by the same 
[group]," says Hwang. "But it's part of the trend in the increase in 
zero-days that we've seen this year."

After the May attack using Word, follow-on assaults were conducted by 
cyber criminals using new-found flaws in other Microsoft Office 
applications, including its Excel spreadsheet and PowerPoint 
presentation maker. This summer, experts laid the blame on sophisticated 
hackers who were using advanced "fuzzing" tools to sniff out 
previously-undetected vulnerabilities in file formats.

"This is all part of the much wider use of fuzzing," says Hwang.

If history is any indicator, Microsoft will not patch the Word 
vulnerability in December. The company took 26 days to patch the May 
flaw, for instance, 118 days to fix a similar Excel format bug, and 27 
to patch PowerPoint.

Subscribe to InfoSec News

This archive was generated by hypermail 2.1.3 : Wed Dec 06 2006 - 22:31:32 PST