[ISN] Double Trouble: Microsoft Confirms Another Word Zero-Day Flaw

From: InfoSec News (alerts@private)
Date: Tue Dec 12 2006 - 22:01:15 PST


http://www.eweek.com/article2/0,1895,2071558,00.asp

By Ryan Naraine
December 12, 2006

Microsoft's security response center has confirmed that a second 
zero-day vulnerability in its Word software program is being targeted by 
unknown attackers.

The latest flaw comes just days after the software maker issued a 
security advisory to warn customers against opening Word documents from 
untrusted sources. The two vulnerabilities are entirely unrelated.

The flaws were discovered during actual code execution attacks against 
select targets and highlight the Redmond, Wash., vendor's struggle to 
cope with gaping holes in one of its most widely used products.

According to a US-CERT advisory, the latest bug is a memory corruption 
issue that occurs when a Word file is rigged with malformed data 
structures. No other details were made available.

Microsoft has not yet issued a formal prepatch advisory but, in a blog 
entry, Security Program Manager Scott Deacon listed affected software 
versions as Word 2000, Word 2002, Word 2003 and the Word Viewer 2003.

He said Microsoft Word 2007 is not affected by the second vulnerability.

"From the initial reports and investigation we can confirm that the 
vulnerability is being exploited on a very, very limited and targeted 
basis," Deacon added.

Microsoft uses the "very limited, targeted attack" terminology to make a 
distinction between attacks that affect a broad number of customers 
randomly.

"Unlike these broad, random attacks, these very limited, targeted 
attacks are carried out against a very small number of customers 
[sometimes only one or two even] and are carried out in a very 
deliberate fashion against a specific organization or organizations," 
according to Christopher Budd, a program manager in the MSRC (Microsoft 
Security Response Center).

"Where the goal of these broad, random attacks is large in scope, the 
goal of these very limited, targeted attacks is generally to introduce 
malicious software on to the systems of the specific organizations that 
have been targeted," he explained.

For most of 2006, flaw finders and attackers have been pounding away at 
Microsoft Office applications, discovering new ways to attack millions 
of Windows machines. The zero-day attacks against Word, Excel and 
PowerPoint users have all the characteristics of corporate 
espionagewhere Trojan horse programs are used to drop keyloggers and 
data theft malware programs on target systems.

In almost all of the Microsoft Office attacks, e-mail is used as the 
initial infection vector, with social engineering lures to run 
attachments, according to Websense Security Labs, in San Diego. The 
exploits then connect to remote sites to download additional payloads, 
including rootkits capable of hiding from anti-virus and other security 
software.

"Although attacks in the past have been limited in target numbers, 
business sectors and regions, there is a potential for more widespread 
attacks with this Word zero-day," according to a Websense alert.

There are no prepatch workarounds available for either of the Word 
flaws.

Microsoft suggests that users "do not open or save Word files," even 
those that arrive unexpectedly from trusted sources.

"As a best practice, users should always exercise extreme caution when 
opening unsolicited attachments from both known and unknown sources," 
the company said.

Users who have installed and are using the Office Document Open 
Confirmation Tool for Office 2000 will be prompted with Open, Save or 
Cancel before a file is opened. This offers a minor warning mechanism 
for Word users.

Microsoft plans to issue six security bulletins as part of its December 
batch of patches, but there are no Office fixes on tap. Unless an 
out-of-cycle update is shipped, the Word flaws will remain unpatched 
until at least Jan. 9, 2007.


_____________________________
Subscribe to InfoSec News
http://www.infosecnews.org/mailman/listinfo/isn
 



This archive was generated by hypermail 2.1.3 : Tue Dec 12 2006 - 22:11:08 PST