New Microsoft Word zero-day exploit discovered
Trojan.MDropper-Q is exploiting a vulnerability in Microsoft's word-processing application that could allow attackers to take control of certain machines.
With a week to go before Microsoft releases its next batch of security patches, vulnerability watchers are warning of a new zero-day Word flaw that attackers could exploit to take control of Windows 2000 machines.
The threat was first reported by Symantec in an email advisory to customers of its DeepSight Threat Management Service.
According to Symantec's analysis, Microsoft Word is prone to an unspecified remote code-execution vulnerability attackers could exploit to execute arbitrary code on a vulnerable computer by supplying a malicious Word document to a user. If a recipient opens such a document, an attacker could "gain subsequent unauthorised access to the computer in the context of the user."
Symantec said the vulnerability is being actively exploited by Trojan.MDropper-Q.
Trojan.MDropper-Q in turn unloads another piece of malware onto affected machines that Symantec identified as Backdoor.Femo. This malware, first detected in the wild three years ago, hands control of an affected machine to an attacker.
While Symantec withheld full details of the vulnerability, the French Security Incident Response Team (FrSIRT) described it as a memory-corruption error when handling a malformed document. It rated the flaw as critical, due to the active exploits.
In its advisory, Danish vulnerability clearing house Secunia rated the flaw "extremely critical" - the highest of its threat ratings - confirming the existence of the flaw in Microsoft Word 2000 running on Windows 2000 machines.
Secunia and Symantec recommended users mitigate the threat by not opening untrusted documents.
"Users should never accept files from untrusted or unknown sources, because they may be malicious in nature," Symantec said. "Avoid opening email attachments from unknown or questionable sources."
Symantec also recommended IT shops battle the threat with multiple, redundant layers of security.
"Since this issue may be leveraged to execute code, we recommend memory-protection schemes, such as non-executable stack/heap configurations and randomly mapped memory segments," Symantec said. "This tactic may complicate exploitation of memory-corruption vulnerabilities."
Microsoft did not immediately say whether it has confirmed the existence of the flaw or when a patch might be issued. The software giant's next monthly patch release is on 12 September. An advance notice on the programs to be fixed will be available on Microsoft's TechNet site Thursday.
