Microsoft Confirms New Word Zero-Day Attack

Malicious attackers are exploiting a new, undocumented flaw in Word 2000 to load back-door Trojans on Windows machines.

Theres another Microsoft Word zero-day attack under way.

Microsoft on Sept. 5 confirmed that malicious attackers are exploiting a new, undocumented flaw in Word 2000 to load back-door Trojans on Windows machines.

The acknowledgment follows a warning from anti-virus vendor Symantec that the threat was detected in the wild targeting Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003 and Windows XP systems.

A spokesman for Microsoft said the Redmond, Wash., vendors security response team has investigated the report and concluded that the attack is limited to users of Word 2000. "[We are aware of] an attack scenario that involves malware known as Win32/Wordjmp and Win32/Mofeir," the spokesman said, adding that definition updates have been rolled out to the companys free Windows Live OneCare safety scanner for detection and removal.

Security alerts aggregator Secunia rates the flaw as "extremely critical" and urged Word users to avoid opening Word documents from untrusted sources.

/zimages/1/28571.gifMicrosoft advises: Use Microsoft Word in safe mode. Click here to read more.

The FrSIRT vulnerability research team described the bug as a "memory corruption error" that occurs when Word 2000 handles a malformed document. "[This] could be exploited by attackers to execute arbitrary commands by tricking a user into opening a specially crafted Word document," FrSIRT said in a published advisory.

Symantec said its virus hunters intercepted a double-barreled attack that comes with a Trojan dropper and a back-door worm. The dropper, identified as Trojan.Mdropper.Q, is used to distribute two pieces of malware—clipbook.exe and clipbook.dll—on the infected system.

The two files are linked to Backdoor.Femo, a Trojan horse with process injection capabilities.

The back door listens for the commands from a remote attacker and could be used to access the Windows command shell, run executable files, delete/create files and folders, or download additional files from the Internet.

The latest attack follows similar exploits targeting unpatched flaws in Microsoft Office programs. Since July, there have been separate zero-day attacks using specially rigged Word, Excel and PowerPoint files.

In 2005, Microsoft shipped patches for five flaws affecting all versions of Office. In the first eight months of 2006, that number skyrocketed to 24.

/zimages/1/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog.