By Ryan Naraine
January 25, 2007
Microsoft's security response team has launched an investigation into
reports of a zero-day attack against a previously unknown vulnerability
affecting its ever-present Microsoft Word program.
The Redmond, Wash.-based software maker said it's aware of "very limited
attacks" exploiting the reported Word flaw. If the vulnerabilityand
attackis confirmed, the company is likely to issue a pre-patch advisory
with workarounds or suggested actions or vulnerable customers.
The vulnerability was discovered during an actual live attack by
anti-virus vendor Symantec. It affects multiple versions of Microsoft
Word and can be used in successful code execution attacks against users
of Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows
Server 2003, Windows XP.
According to an advisory from Symantec, the flaw is unrelated to the
three previously known Word bugs that remain unpatched.
In the attack scenario discovered by Symantec, a rigged Word document
arrives by e-mail with a lure to trick the target into opening the file.
"When the infected Word document is opened, it uses an exploit to drop
some files onto the computer. These files are back door Trojans that
enable an attacker to gain remote access to your computer," the company
Once the exploit is launched, the attacker drops a backdoor Trojan on
the infected machine and immediately creates a clean Word document named
"Summary on China's 2006 Defense White paper.doc."
The Trojan then checks for Internet connectivity by visiting various Web
sites, such as Microsoft, Google or Yahoo and opens a back door on the
It then connects to the pop.newyorkerworld.com domain on TCP port 80 and
uses the command prompt specified instructions to carry out basic
operations, Symantec said. These could include logging keystrokes or
hijacking sensitive documents and uploading them to a remote server.
"To protect yourself against these threats, do not trust unsolicited
files or documents about 'interesting' topics. Do not open attachments
unless they are expected and come from a known and trusted source,"
The latest incident closely resembles similar attacks against flaws in
Microsoft Office software products, prompting speculation among security
researchers that they are closely linked to corporate or even government
In December 2006, Microsoft confirmed three separate Word flaws that
were being used in code-execution attacks against select targets. They
Subscribe to InfoSec News