May 19, 2006 11:32 AM PDT

Zero-day Word flaw used in attack

A new, yet-to-be-fixed security hole in Microsoft Word exposes computer users to cyberattack, Symantec warned Friday.

Would-be intruders already have attempted to compromise PCs at a Japanese government entity by exploiting the flaw, Vincent Weafer, the senior director at Symantec Security Response, said in an interview. In response, Symantec has raised its ThreatCon to Level 2, which means an outbreak is expected.

"What we're seeing is a continuation of the targeted threat using zero-day vulnerabilities," Weafer said. (Zero-day flaws are ones for which no patch exists.) "We got it from a single large customer inside Japan. We have not seen anyone else get it."

Microsoft is readying a security update for Word that repairs this vulnerability, a company representative said in an e-mailed statement. The fix is scheduled to be released as part of the June 13 security updates, or sooner, if warranted, the representative said.

The malicious software arrives as a Microsoft Word file attachment to an e-mail message. When the document is opened by the user, the vulnerability is triggered. In the Japanese case, the Word document actually displayed some text related to a treaty with China, but while the text was displayed, a backdoor was installed on the system, Weafer said. Backdoor software allows intruders to enter computers surreptitiously.

"The backdoor in turn pings an IP address located in Asia. It just pings to say it is available, but then, of course, you have a backdoor on your system," he said.

The vulnerability was confirmed in Word 2003, Symantec said. The malicious file caused Word 2000 to crash, but did not run the malicious payload, it added.

Exploitation of the security hole so far is only known as part of a single, targeted attack, Symantec said. "However, with the disclosure of this previously unknown vulnerability, new attackers may begin to exploit it in a widespread manner," the Cupertino, Calif., security company said in an advisory sent to customers.

The targeted attack can bypass spam filters, and Symantec's antivirus software doesn't yet detect the particular Word file as malicious, Weafer said. "We are looking at the vulnerability itself, in terms of generic blocking," he said, adding that the security software does detect the backdoor and the installer of the backdoor.

Microsoft and Symantec urge caution in the opening of Word documents received as an unexpected e-mail attachment.

See more CNET content tagged:
back door, Symantec Corp., vulnerability, Microsoft Word, attack

6 comments

Join the conversation!
Add your comment
This should be fun!
Ok, everybody jump in!
Posted by J_Satch (571 comments )
Reply Link Flag
Protection from Threat
I would assume that business users behind a firewall and home user behind a router are protected from the back door since a port needs to be opened in order to gain access to the back door.
Posted by wxguy (1 comment )
Reply Link Flag
Depends
It depends on how the backdoor is configured. If it needs to be an open port, sitting and waiting for orders, then yes, a simple NAT router would prevent the backdoor from being exploited even if it were installed.

However, many backdoors instead configure the zombie to initiate a connection to an outside server (IRC is common). Since many firewalls are configured to allow all outbound traffic, and it's the zombie going outbound to make the connection, this effectively bypasses firewalls.
Posted by MrNougat (78 comments )
Link Flag
protection
Isn't the protection for this the same as it is for other virus' ... don't open email attachments (unless from somebody you know AND you are expecting one)?

Could just wait to open that email until the virus definition is passed out, or you find out from the person themselves that it's legit.
Posted by dragonbite (452 comments )
Reply Link Flag
Solution
Solution = Linux
Posted by stacksmasher (8 comments )
Reply Link Flag
So...where can I see the flaw?
How can I be sure that my antivirus software will portect me?

Is this something that can't be fixed? Is that why MS recommends "Safe mode"?

How can a Word doc contain installer code (or code period) that can't be seen by antivirus products or Word itself?
Posted by Jim Hubbard (326 comments )
Reply Link Flag
 

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot

Discussions

Shared

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.