Microsoft is investigating reports of attacks against a
newly-disclosed, unpatched flaw in Microsoft Word. Attackers who
successfully exploit it could run malicious code on a victim's
computer.
"There have been very limited attacks reported that are
attempting to use the reported vulnerability at this time," a
Microsoft spokeswoman said in an email. "Microsoft will continue to
investigate the public reports to help provide additional guidance
for customers as necessary."
Once its investigation is complete, Microsoft said it will take
the appropriate action to protect its customers, which may include
issuing a security advisory or providing a security update through
its monthly release process.
Cupertino, Calif.-based antivirus giant Symantec Corp. sent an
alert on the new Word zero-day to customers of its DeepSight threat
management service earlier Thursday. According to the alert,
"Microsoft Word 2000 is prone to a remote code-execution
vulnerability that arises because of a memory-corruption
vulnerability."
Symantec said the exact nature of the problem isn't yet clear,
but that code execution in Word 2000 and Word 2003/XP has been
confirmed. The company said it will provide a more detailed
analysis once its investigation is finished.
Of the flaw, Symantec said, "An attacker could exploit this
issue by enticing a victim to open a malicious Word file. If the
attack is successful, the attacker may be able to execute arbitrary
code in the context of the currently logged-in user."
The company added, "Exploits against Word 2003/XP result in a
denial of service due to complete CPU utilization, denying service
to legitimate users."
This is the fourth zero-day flaw reported in Word in recent
months. Microsoft has acknowledged each flaw, but has not yet
issued a security update to fix them. When
Word fixes weren't included in the software
giant's January patch rollout, security experts speculated
that the company might be compelled to
release an out-of-cycle patch. That hasn't
happened yet, and the next scheduled patch release is Tuesday,
Feb. 13.
As for attacks against this latest flaw, Symantec described the
sequence of events in its advisory:
- A malicious Word document arrives by email with a fake message
designed to dupe the user into opening the attachment.
- When the infected Word document is opened, it drops Trojan
horse programs onto the machine that allow the attacker to gain
remote access.
- The attacker then creates a clean Word document named "Summary
on China's 2006 Defense White paper.doc."
- The Trojan then checks for Internet connectivity and, once
connected, creates a back door on the machine.
- It connects to the pop.newyorkerworld.com domain on TCP port 80
and carries out its instructions, which could include stealing
files and uploading them to a remote server or recording the user's
keystrokes in hopes of harvesting credit card
information.
Symantec recommended users mitigate the threat by not accepting
or executing files from untrusted or unknown sources.