By Ryan Naraine
December 12, 2006
Microsoft's security response center has confirmed that a second
zero-day vulnerability in its Word software program is being targeted by
The latest flaw comes just days after the software maker issued a
security advisory to warn customers against opening Word documents from
untrusted sources. The two vulnerabilities are entirely unrelated.
The flaws were discovered during actual code execution attacks against
select targets and highlight the Redmond, Wash., vendor's struggle to
cope with gaping holes in one of its most widely used products.
According to a US-CERT advisory, the latest bug is a memory corruption
issue that occurs when a Word file is rigged with malformed data
structures. No other details were made available.
Microsoft has not yet issued a formal prepatch advisory but, in a blog
entry, Security Program Manager Scott Deacon listed affected software
versions as Word 2000, Word 2002, Word 2003 and the Word Viewer 2003.
He said Microsoft Word 2007 is not affected by the second vulnerability.
"From the initial reports and investigation we can confirm that the
vulnerability is being exploited on a very, very limited and targeted
basis," Deacon added.
Microsoft uses the "very limited, targeted attack" terminology to make a
distinction between attacks that affect a broad number of customers
"Unlike these broad, random attacks, these very limited, targeted
attacks are carried out against a very small number of customers
[sometimes only one or two even] and are carried out in a very
deliberate fashion against a specific organization or organizations,"
according to Christopher Budd, a program manager in the MSRC (Microsoft
Security Response Center).
"Where the goal of these broad, random attacks is large in scope, the
goal of these very limited, targeted attacks is generally to introduce
malicious software on to the systems of the specific organizations that
have been targeted," he explained.
For most of 2006, flaw finders and attackers have been pounding away at
Microsoft Office applications, discovering new ways to attack millions
of Windows machines. The zero-day attacks against Word, Excel and
PowerPoint users have all the characteristics of corporate
espionagewhere Trojan horse programs are used to drop keyloggers and
data theft malware programs on target systems.
In almost all of the Microsoft Office attacks, e-mail is used as the
initial infection vector, with social engineering lures to run
attachments, according to Websense Security Labs, in San Diego. The
exploits then connect to remote sites to download additional payloads,
including rootkits capable of hiding from anti-virus and other security
"Although attacks in the past have been limited in target numbers,
business sectors and regions, there is a potential for more widespread
attacks with this Word zero-day," according to a Websense alert.
There are no prepatch workarounds available for either of the Word
Microsoft suggests that users "do not open or save Word files," even
those that arrive unexpectedly from trusted sources.
"As a best practice, users should always exercise extreme caution when
opening unsolicited attachments from both known and unknown sources,"
the company said.
Users who have installed and are using the Office Document Open
Confirmation Tool for Office 2000 will be prompted with Open, Save or
Cancel before a file is opened. This offers a minor warning mechanism
for Word users.
Microsoft plans to issue six security bulletins as part of its December
batch of patches, but there are no Office fixes on tap. Unless an
out-of-cycle update is shipped, the Word flaws will remain unpatched
until at least Jan. 9, 2007.
Subscribe to InfoSec News