Yet Another Word 'Zero-Day' Exploit Surfaces
- By Stephen Swoyer
- January 29, 2007
Don't look now, but word surfaced last week of still another Word zero-day attack. That brings the tally up unpatched Word zero-day attacks up to four. Microsoft's Patch Tuesday on Jan. 9 was conspicuously bereft of patches for any of then-extant Word exploits, and -- with a fourth one in the wild, and with proof-of-concept code possibly circulating -- it looks like Microsoft Corp.'s next Patch Tuesday can't come fast enough.
Microsoft last week confirmed that crackers are targeting a new, as-yet-unpatched Word vulnerability in several limited attacks.
“We are currently investigating a report of a posting of proof of concept code which could allow an attacker to execute code on a user's machine in their security context by convincing them to open a specially crafted Word document," wrote Alexandra Huft in a post to Microsoft's Security Research Center (MSRC) blog last week.
"We are aware of very limited, targeted attacks attempting to use the vulnerability reported," she confirmed.
What does Microsoft mean by "very limited, targeted attacks?" In a post to the MSRC blog last December, Microsoft's Christopher Budd said such attacks are typically "carried out against a very small number of customers" --even as few as one or two --or are "carried out in a very deliberate fashion against a specific organization or organizations."
According to security researcher Symantec Corp., attackers who successfully exploit the latest Word zero-day bug could gain complete control of any system running Word 2000; an attacker could trigger system crash and denial-of-service (DoS) on Word XP (Office 2002) and Word 2003 systems.
"We've seen many threats using vulnerabilities based on Microsoft Office documents over the last year, so it's no surprise that we have recently observed new samples of a threat that follows the same theme. This threat named Trojan.Mdropper.W is using the new Microsoft Word 2000 Unspecified Code Execution Vulnerability (BID22225) to drop threats onto a compromised computer," wrote researcher Hon Lau in a post to Symantec's Security Response Weblog. "When the infected Word document is opened, it uses an exploit to drop some files onto the computer. These files are back door Trojans that enable an attacker to gain remote access to your computer."
Unpatched Word Leaking Like a Sieve?
Microsoft released its last round of patches on January 9. Notably absent from that collection were fixes for three then-extant exploits that target unspecified vulnerabilities in all supported versions of Microsoft Word, along with Microsoft Works. Even as far back as early December, Microsoft officials acknowledged that they were investigating rumors of Word "zero-day" exploits.
"I wanted everyone to know that we're actively investigating and monitoring all of these issues through our Software Security Incident Response Process and we are working on developing and testing security updates for the three issues, which we'll release as part of our release process once they've reached an appropriate level of quality," wrote Alexandra Huft on Microsoft's Security Response Center Blog in December.
Stephen Swoyer is a Nashville, TN-based freelance journalist who writes about technology.