No Patch Yet for New Word Zero-Day Flaw

Microsoft yesterday acknowledged yet another zero-day flaw in Word is being exploited.

“We are investigating reports of another new vulnerability in Microsoft Word–initial investigation has shown that this is a different issue to that reported in Microsoft Security Advisory 929433,” says Microsoft Security Response Center blogger Scott Deacon. “From the initial reports and investigation we can confirm that the vulnerability is being exploited on a very, very limited and targeted basis.”

Microsoft says the flaw affects Word 2000, Word 2002, Word 2003 and Word Viewer 2003.

It appears that the flaw may have first been reported by messaging security services provider MessageLabs, which detected the attack on Dec. 7.

“This attack used a new, previously unknown and unannounced, zero-day vulnerability in Microsoft Word,” says the MessageLabs advisory. “The attack appears to be designed to access confidential information through the victim’s computer.”

MessageLabs reports that the attack originated from a Yahoo e-mail account and has an attachment called “Rapid Response issues.doc,” which contains the malicious code exploiting the new flaw.

“The vulnerability would then cause MS Word to drop an executable file, executing it and exiting,” says MessageLabs. “The executable file then drops another, now clean, Word document with a similar name and another executable file.”

When the “clean” Word document is opened, MessageLabs says the dropped executable file gets executed and remains resident in memory where it does a number of malicious actions, “including waiting for remote commands sent to another e-mail address, checking a particular Web address–possibly, for updates, or for getting remote commands–and gathering information about the system it is executed on. When specific information about the system is collected, it sends it to a particular e-mail address.”

“MessageLabs recommends e-mail users…do not open documents from untrusted sources and use extreme caution even when opening documents from trusted sources,” according to its advisory.

This is the second such Word attack to be confirmed by Microsoft in the past week. Last Tuesday, Microsoft warned of a similar Word flaw, saying that it was aware of “limited attacks attempting to use the vulnerability.”

Neither problem is expected to be fixed in Tuesday’s software patches, which will address flaws in Windows and Visual Studio.

-Compiled by Shawna McAlearney

Related articles

Security Hole Found In Windows Media Player

Usersare being advised to disable a certain type of file in Microsoft’sWindows Media Player software following the discovery of a new securityhole.

New Attack Targets Microsoft Word

There’s now one more reason to be careful about opening Microsoft Office attachments.