[ISN] Microsoft Word Zero-Day Attack Discovered

From: InfoSec News (alerts@private)
Date: Thu Jan 25 2007 - 22:30:00 PST


By Ryan Naraine
January 25, 2007

Microsoft's security response team has launched an investigation into 
reports of a zero-day attack against a previously unknown vulnerability 
affecting its ever-present Microsoft Word program.

The Redmond, Wash.-based software maker said it's aware of "very limited 
attacks" exploiting the reported Word flaw. If the vulnerabilityand 
attackis confirmed, the company is likely to issue a pre-patch advisory 
with workarounds or suggested actions or vulnerable customers.

The vulnerability was discovered during an actual live attack by 
anti-virus vendor Symantec. It affects multiple versions of Microsoft 
Word and can be used in successful code execution attacks against users 
of Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows 
Server 2003, Windows XP.

According to an advisory from Symantec, the flaw is unrelated to the 
three previously known Word bugs that remain unpatched.

In the attack scenario discovered by Symantec, a rigged Word document 
arrives by e-mail with a lure to trick the target into opening the file.

"When the infected Word document is opened, it uses an exploit to drop 
some files onto the computer. These files are back door Trojans that 
enable an attacker to gain remote access to your computer," the company 

Once the exploit is launched, the attacker drops a backdoor Trojan on 
the infected machine and immediately creates a clean Word document named 
"Summary on China's 2006 Defense White paper.doc."

The Trojan then checks for Internet connectivity by visiting various Web 
sites, such as Microsoft, Google or Yahoo and opens a back door on the 
compromised computer.

It then connects to the pop.newyorkerworld.com domain on TCP port 80 and 
uses the command prompt specified instructions to carry out basic 
operations, Symantec said. These could include logging keystrokes or 
hijacking sensitive documents and uploading them to a remote server.

"To protect yourself against these threats, do not trust unsolicited 
files or documents about 'interesting' topics. Do not open attachments 
unless they are expected and come from a known and trusted source," 
Symantec warned.

The latest incident closely resembles similar attacks against flaws in 
Microsoft Office software products, prompting speculation among security 
researchers that they are closely linked to corporate or even government 

In December 2006, Microsoft confirmed three separate Word flaws that 
were being used in code-execution attacks against select targets. They 
remain unpatched.

Subscribe to InfoSec News

This archive was generated by hypermail 2.1.3 : Thu Jan 25 2007 - 22:47:17 PST