Experts Zero in on Zero-Day Exploits

Researchers: software restriction policies can lessen risk of microsoft word attacks

In lieu of a patch for a dangerous code execution hole in Microsoft Word, security experts are recommending that Windows users implement software restriction policies to blunt the effects of ongoing zero-day attacks.

Anti-virus researchers in mid-May first warned that a zero-day flaw in the ubiquitous Word program was being used in an active exploit by sophisticated hackers in China and Taiwan.

Within days of a warning from anti-virus vendors that malicious hackers were exploiting the vulnerability to launch attacks against select business targets, independent researcher Matthew Murphy said Windows XP users could mitigate the risk by simply using the Basic User SRP (software restriction policy).

"By using the Basic User SRP, users can launch Microsoft Word without the ability to write to certain registry and file system locations that the in-the-wild malware requires access to," Murphy wrote in the SecuriTeam blog.

"This is a stop-gap measure based on the threat profile of the malware at this time and is only necessary if youre still running interactively as an administrator," Murphy added.

"Organizations and individuals who follow best practice and log on interactively as non-administrators are currently not at risk," Murphy said. He also noted that users are less at risk from any exploit if they run the vulnerable application without full privileges.

Murphy also released a registry script that sets an SRP that runs any instance of winword.exe with the Basic User policy. He made it clear that the effectiveness of registry fix script is based on known characteristics of the payload and that future variants may alter the way the flaw is exploited.

The exploit arrives as a Word document attached to an e-mail. When the document is launched by the user, the vulnerability is triggered to drop a backdoor with rootkit features to mask itself from anti-virus scanners.

The SANS Institutes Internet Storm Center said in a diary entry that it received reports of the exploit from an unnamed organization that was targeted.

"The e-mail was written to look like an internal e-mail, including signature. It was addressed by name to the intended victim and not detected by the anti-virus software," said Chris Carboni, an ISC incident handler.

When the .doc attachment is opened, it exploits a previously unknown vulnerability in Word and infects a fully patched Windows system. The exploit functions as a dropper, extracting and launching a Trojan that immediately overwrites the original Word document with a "clean," uninfected copy. "As a result of the exploit, Word crashes, informs the user of a problem and offers to attempt to reopen the file. If the user agrees, the new clean file is opened without incident," the ISC diary said.

Roger Thompson, chief technical officer at Atlanta-based Exploit Prevention Labs, said the backdoor is programmed to call back to a server in China to report information about what the infected system looks like. The backdoor can also connect to specified addresses to receive commands from the malicious attacker.

Anti-virus vendor F-Secure said a successful exploit allows the attacker to create, read, write, delete and search for files and directories; access and modify the registry; manipulate services; start and kill processes; take screen shots; enumerate open windows; create its own application window; and lock, restart or shut down Windows.

The ISC said the attackers appear to be aware that they have been outed and have been routinely changing the IP address associated with the attacks.

Because Word is such a widely used software program, the potential for a widespread attack remains significant. However, security experts say the number of actual compromises remains very low because the first attack was pointed at specific targets.

On the Microsoft Security Response Center blog, Microsoft program manager Stephen Toulouse said a software update is scheduled for June 13 to provide a comprehensive fix. "The attack vector here is Word documents attached to an e-mail or otherwise delivered to a users computer. The user would have to open it first for anything to happen," Toulouse wrote. He also confirmed that the attack requires administrator rights and urged users to set limitations on user accounts to mitigate the risk.

Microsoft has added signature detection updates to its Windows Live Safety Center.

Toulouse noted that the first wave of attacks provided evidence of commonality. "The attack weve seen is e-mail-based. The e-mails tend to arrive in groups; they often have fake domains that are similar to real domains of the targets, but the targets are valid e-mail addresses," he said.

Only two subject lines have been used so far. One is simply the word "Notice," and the other reads: "RE Plan for final agreement."

How to protect yourself

To reduce the possibility of being affected by this new exploit and the associated malware, Symantec Security Response advises users to do the following:

* Never open files contained in e-mail messages sent by those you dont know and trust

* Be extra careful when opening Microsoft Word documents, whether you receive them as e-mail attachments or through other means, such as a Web site or an instant message

* Use comprehensive Internet security software and keep it updated