Network Security & Hardware - eWeek


Battery 500 Project Charged Up over All-Electric Cars
Charting the Final Frontier--Google Maps for Indoors
Get Smarter Technology on Your Mobile!
  Network Security & Hardware


Double Trouble: Microsoft Confirms Another Word Zero-Day Flaw



 By: Ryan Naraine
2006-12-12
Article Rating:starstarstarstarstar / 3


There are 0 user comments on this Network Security & Hardware story.


Rate This Article:
Poor Best
Microsoft confirms a second, unrelated zero-day vulnerability in its widely used software program and warns that "extremely targeted" attacks are already under way.

Microsofts security response center has confirmed that a second zero-day vulnerability in its Word software program is being targeted by unknown attackers.

The latest flaw comes just days after the software maker issued a security advisory to warn customers against opening Word documents from untrusted sources. The two vulnerabilities are entirely unrelated.

The flaws were discovered during actual code execution attacks against select targets and highlight the Redmond, Wash., vendors struggle to cope with gaping holes in one of its most widely used products.

According to a US-CERT advisory, the latest bug is a memory corruption issue that occurs when a Word file is rigged with malformed data structures. No other details were made available.

Microsoft has not yet issued a formal prepatch advisory but, in a blog entry, Security Program Manager Scott Deacon listed affected software versions as Word 2000, Word 2002, Word 2003 and the Word Viewer 2003.

He said Microsoft Word 2007 is not affected by the second vulnerability.

Resource Library:

"From the initial reports and investigation we can confirm that the vulnerability is being exploited on a very, very limited and targeted basis," Deacon added.

Click here to read about MS Office attacks being linked to corporate espionage.

Microsoft uses the "very limited, targeted attack" terminology to make a distinction between attacks that affect a broad number of customers randomly.

"Unlike these broad, random attacks, these very limited, targeted attacks are carried out against a very small number of customers [sometimes only one or two even] and are carried out in a very deliberate fashion against a specific organization or organizations," according to Christopher Budd, a program manager in the MSRC (Microsoft Security Response Center).

"Where the goal of these broad, random attacks is large in scope, the goal of these very limited, targeted attacks is generally to introduce malicious software on to the systems of the specific organizations that have been targeted," he explained.

Click here to read more about MS Excel zero-day attacks.

For most of 2006, flaw finders and attackers have been pounding away at Microsoft Office applications, discovering new ways to attack millions of Windows machines. The zero-day attacks against Word, Excel and PowerPoint users have all the characteristics of corporate espionage—where Trojan horse programs are used to drop keyloggers and data theft malware programs on target systems.

In almost all of the Microsoft Office attacks, e-mail is used as the initial infection vector, with social engineering lures to run attachments, according to Websense Security Labs, in San Diego. The exploits then connect to remote sites to download additional payloads, including rootkits capable of hiding from anti-virus and other security software.

"Although attacks in the past have been limited in target numbers, business sectors and regions, there is a potential for more widespread attacks with this Word zero-day," according to a Websense alert.

There are no prepatch workarounds available for either of the Word flaws.

Microsoft suggests that users "do not open or save Word files," even those that arrive unexpectedly from trusted sources.

"As a best practice, users should always exercise extreme caution when opening unsolicited attachments from both known and unknown sources," the company said.

Users who have installed and are using the Office Document Open Confirmation Tool for Office 2000 will be prompted with Open, Save or Cancel before a file is opened. This offers a minor warning mechanism for Word users.

Microsoft plans to issue six security bulletins as part of its December batch of patches, but there are no Office fixes on tap. Unless an out-of-cycle update is shipped, the Word flaws will remain unpatched until at least Jan. 9, 2007.

Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Ryan Naraines eWEEK Security Watch blog.





  Reader Comments: Double Trouble: Microsoft Confirms Another Word Zero-Day Flaw
>>> Be the FIRST to comment on this article!
 

 
 
>>> More Network Security & Hardware Articles          >>> More By Ryan Naraine
 


xv㶲 ;^+(}LRlm,oKޝofiQ$$1Hm%sּlY}@|ݑ|YcX:Q æq/#!_TBp`VRBmOlˇ;)xC'ס"'ml_j| tf <$ ~3 jdHU 6)} p==\'DL=:/y]fؖqwh ͑J5(GJ\S#g]rLη-gqoT;ƨ??Wʪ)Jۿ]HQPwÑ;7@ږVj0U;ާ;yԸ} d}+5UJ`Z. G$_S::yXB,9"yd[nkMюR=2,gfVҘ gUUj,ǝ%?[U&U}Yf0ZhCA+t?c[ˠzq}ں~\z}rڻ"I]xF4pg Z_Zrn`Kk'^3R&:aZ+U~Ff;|lio]~<>$ׅYn Z_g90domYn_H.)M|T|Y|ěy30si2)=M8X@/@ש#4j5t-Mn #dh&/zh- @ho*KLru&@Sk~$M\5ņ])!edFSۤ%/^(P%!P샖_.[ jFTwIQQ#=^f/\R@3Al8{ØWҽT7wsY iغ\48߇]7+De. s5-wfzˢaZTpx3iW_.=mmxX18,]evr`\Է7JϏRQ^TjrkhS2ud8԰5Ŭ>'4}t>჎$>hƋCriYnL-rӇtu4A>+wGݺ~L=Wԇ5j`I l"&q} к`yn`2fC?F|MH>X^0 jps*~ =w= /| wA9{k6G~[>l0 z?N\KQo -2(%E2 4.gP)AH =k \99~ ޑvZ*&RP*m=!ԑtNܡZ*ݗh3aGe-n^ $ d6g2+IMiG0-&D7r"e.G 7Kᙖ6FlkVe y=0gГLdl{ ٚM> BB1[0 =wƠ:'_ ].;N/=]21 4fכ ngd50K%gYA3'|(@]4>+WuPÃ"`"+42[=! = PȭT)w^IY䞅T_9YX X`n ,Rd8ug6I 3Xh8GCW4jM;24%֊fۏRucIJەa]jk-T8V7Bj²yc<6B6`9HM^> 2fˣQ4ӫlJ Ւt> ]{8dOEM~K*+jS#SOoZrirX,y| lD0(2n( 鿙R&a+\ڨ\NaOwAsm0Hw[tMH ΧEa)e-'VUmTHb{q 0b={3rt\Xlnrp쟶Wה=) Υ_8̧W6y+U}>8`CLmRǖM}Bu߲6ϧ=)}faT5Clq-Z ;vm۽˦ sq,bjt-g @?7QQo> \!EX+LBYad[s6/ K?/|udA`'\qW["LJ}ܑe 6Nl*I-qۻ(Sܥ&;alâ˘_c3$6/Pk 0!P\Q-W0.#_L_LU1(TOnƻhCz X]>L,',@ЧCkz]W9*#__$hh<]HjP'VVR娨V*h_1*(Si95ɡ;S!΁t ?3YoN?+!f8hk0{]w \μ + '2E<&{HXeXFt%_(ƤOMqё,u` tV87V|<@? v: C\4<}gS4pfmWq=[JkjXXRO-x[z6Gs- ,rֻm?QeW᧘TVQqi?p;x跸@^5p?F]S؇Qgm/RU *~i/::zoJ.E׌Lu0ȈNÝWlȡTh78UoF*l[=G$1*@7Z ɖ~kVɪ Նgy1cIpR|9}->p)7poj-[zEnMsU-nyFDS =JTȵ#<Dp?n216ym/POG]մRߖ/19|6t8Y݄?`,fvѯJU056u 2 \zďuf1[@dC-sc dKssKl\7a ZnVɕG fI0@{EY(..>JuP*jIIz, :*h6Y+(#t+^ǽam.D<[ 17ʨTIV+Gs;"ʊg b|q{q>'F{lj>gWՄθ4;a,XLd;ɲ#X׵I74cְS=#nƍj`.ӪV$,: <7d}~UJ&2%SS5 qΟݚrC`>xInI墦Ak R;~O;a#ҵLp ( r^-ã,z(d2rYjdP\xO}+tSZ1wOXO]dK!O%EDOCVjgX&1W+ʬƼ f@48&oZU{"}QL ޟpف#{?J;!)hlw1NC}hIn}[ q޲oUh3 J@FG$bw}|ɾ3zV^6[{銿ð Oa嵀 ^W6w.ėtOz+~Jw.R1AR`'Myyqu4)$yy~|hq0)MF0Sk cn42l&zE Wq]WY0z)B3ZMUc z A06< ּ!>48|EQG$ !rF0xc.A-H7ԾN>$S4qJh"g:Q;)~ڲOCT䵤 g[UHN~'%6 DTz@0Hr吜ZC=?jmOfXyu3v츃%vd\:Gw*b,_}huӅ[eСwy$sm#g.Ս)A/]s>ͥ`L8M\gwhG(V=w9c2'4aϝUkݮ< # Cӝ閃(&HG.z<H 09nJs nu#k5yׅO>4D\/8#- LwF]YF 'oc Ǿv/ݻw~Zw[q*A=wMG?'dc:M"I^U֫UdU)I}YE㳏)G8}b]0d&'q=+=#tzoѯo=إ'֛<A?|}& ~ ]=PI=뻿~=Ғ(r_&ZDNpw5Q${qI9.xu?,K`\Ty^v} l$>?GFm"fFcME[o溧<|nƄ?P [̗qk ܖ ,$V h ~w!-! aD4A MH621iJ}5 <4 낟o@˒o2XV{E)auJY%Ɣ@š+]IRe;TޝŔҶ,Vx:(ĆR GM^2˒atzxdZ-H2+b@bz]-xiꏭoΎJy[V+6ɹN c frIV0.]=TIZ1_[B[Xn_a-*1w:@g0KhHO8|b1Ɩw)5Il%W)¾k,!N"-Tb"iBVJ{.$ sT⌫k7SeOxi'~I1tr2z8F{yJyJyJyJXT {Jc}Mvt>ԟ4v='[,{(^pg+_ayڗ2񋌯L[C kHn<܇KiR:+DRu$p!HAT<7 65'Kh sx[2؋ L'{DZؐ܃&i.I N0yti/|Icg~L@ ގ= z3Húu-9scKk I+((NywքK-|I-rỳ  0쇞vOx+QNMؚ.%cV bYbxV#[QY,qm"aaIY=ycˊ\%}<<+Uk_o^a>Kٕ;ƬB{}2)&>$B1p͕p$vg-^ܚD8$.BAawZdƮo|-..zNN/u/T>;i>f+84RjeIE#<$TaK`%^tM^8U|@'!AmeUS`+_{ 7)%%5G"Hl5mXV a1ˌ0xH$^JBO$KiセKpiK aċtUhw;?m, 4E 9,t"`OWO9wGcw/!u-9#n%h l2آn {7d" bIڴ;Q=~a^x֩ psd\IJcձ{1݉;^ #*5, +lyM֫ߓMXg@ݹnʭY_WH&"˷o͓ih zcmo Ѷ5?6۬7oǴJvj}c&kk3"A-[of6௶eul>//<}>dUoko#fy[mV)KWjhkHҲn}6Azl/LEfph6_fؐ+l%I"q0M-QqD3g/ S$Xy[ "GK,+upMz\ sZ[ۦWHX=[l$_UÜZK@{6I݋FP ъ#;ЋL;dSzr!L7</35n[*g ]G?ځrUdSo|֊[N[iΞCmy| [D1pS/!]z?*ǝ@ u~ﶳ`"FVVrc[ateTQU~;!/^q I B(,΀hF]"elXEy=F?PM={MPD_nt}Q+"؅]PVô1(0~bJbFyA y!FvY{Kb+nJ7;$qPhkjj55AV^ uCckjrD,?t$"R./> l?QX2zLzm/-Iypp^A=sj41!r>&ƘKjx3VQjz~zz_ZbiE.c 2Zs!1cTA9-9j"". jD-~ki1|K&೚bfģ Zkah;Xykj=!vc` FK.қ-Xln%YթlݹY熏<5=p3P=Ӓ"Z{2֑: b楒V,T)ۺg?z=)dIg@֌2Jta|H>HP*$Zz 婼92d0-^awUqji\4#lo)qB2<]yWCW|-u1 mm@+>N ,'&`Cq krt&7\9P[I8G_ 6a^zGZq!IG)}o #b2zޘ9p" Y,Z `Oh$~b 2uFf."T( 0`NvCsN.`о꣇U #v]_xy;d@SgU Y[{|G!'vQ]Q sC-]Q._Xuh c1zS?!m#!k^bΑf,Xƨ?\]R0F$u"#:- ZYhIED#ThbGF#&~I79m[ 45aBx ld Dps= dl3ۈ) c 6#&| ᔼ- :]w@>:LQXj*!b3wأ4ϓ/ IFK*ET&}fA=bAa~L­!Rjs# h_'f4`]Xg- .E.ӻq(MqWyFr&hf,ywN7`C'[E9Y|ob{LgA~\b0Ԑ0(VIB uXRFB(s 39$c 36ú~> _f Bh),f,TՊR &uUC !2,=VR"ۀ<>[AguU r VH+^@03:%b`f:X4//?iӫv?O:N{x Zӷptԝsk}>]~>\/:\`&hT湾,gHFYm3;eAq(gM B*rK xU< /%qx&؁qItPJTَ/!jbTթ4MW?fz Uײr:ϏПxu3K_99q Χ65A9^Z4I 'M&7bQ>o Hk&5+<v<(2_2ʯjsI8Qރ^F9r`sy hjg@Si}CgG(ku6wZFQd3r'Ƈ~Fg(gٮ. Y v> tn]nv?2z'(Q~gdwQ{1 ?sw1~=/=? /q _fs?}g?d_P>f'(U}S::3/9IR< 9k^픊8kgK " SV9,.N3kP g  ~-22B @~~ KJ+ťW*7YKxM}%k{[F1nvd}WG{1:,y&e^>&c˼$=)>w懤Ix]"&JR˯-cENj9.~QJxdR$dZ+mFDūQU|,y|e8Nt7<1W }^f6? fv t{r.v)n7W,pK|SG0U75ipqhg?>/yd֦WVFkp'k͠~%k"N^t>yУx߇ ߚD,| e%Hi_1\=x|fOvHy>lobV/OUq< 5'pN!3J81|fZ g~Nq`F]Q[t=ӯ.h DN͡a[@R'b$VT+[-WJr= fDD/&Q5YUdJ.'jeV*V&K=# .=m^t fM-ϡ'!pA>fJ5G P1=: jǬ*Yۼx`T;7i5@18Lo9Xj-/#RQ+xKz9&\ʠaC7ao/Yb+F;c`\';=2g)s?7B΄[6пC s%(ML R8, ODQYqíd<@T6?rށwr$u~H-|#KFUxq/ C4|'S<_=ul8=;l؆"4 ]ݸ3EK~xR Hn2o-;Ԥ.$2|~1'Q>ಓH_b'ce'<"4^_sYܳBDl\TƇ ?YgH/K_zLM=X7`0/F{{Pd>x*8" 2H 2s{B|%؄Z{JfB2,'KYЄ2v]~;, {+2‡_i u. MSA۹$}^X?f&}#K^'z >Iϐh :nRgj kk"t^wkdU9Hr&zu h$.7=k"6: gKbD6nm+0\d~d;wn 3Rۙ,`'/2^;'g\zH|k,XoϨTx ֒_/gwǁ;ysԷeEQ&PLŽc)JqK+yHRͤO[=$sDs݅ ߠ(b/<% R5{\6LDRg }J0~N:]v0N@9DePީ!/;vk3F)fޜSxSEzV?ĵ & M|wخ;Oq^'d9E{>Ku!A]=_v{[=/'R`pMg*QTD KQ)Ybd㜙/699jλe Ǣ8"U];#6sQ/>uKׂ}Q'aȶZ{]#+b 1Cc]R>Ŕ+ ]'[ۧ3й?-{/e; _X (K#LIN8u vKѺ v7"aaNo0n,ـ&@ s=c:p3z26  ѨpSTUDl3^kgycD]E>*Ѝ *.<*Il}ralX ^|޹+o3Љe;7ǿaln,eH&}kqd.GDI qk,Ma4,Lb5"[]QI(`vX3|"@a)5z`n~3 f<˜4W6QĶqynuҵ-ˉ;`yO|d֊&|ƷZ2cˤ_ l$n+