A fifth MS Word zero-day?

A fifth MS Word zero-day?

Summary: Virus trackers at Symantec have raised an alert for what is believed to be a fifth unpatched -- and previously unknown -- security flaw affecting Microsoft Word.

SHARE:

[Updated: January 31, 2006] Virus trackers at Symantec have raised an alert for what is believed to be a fifth unpatched -- and previously unknown -- security flaw affecting Microsoft Word.  

The company is working with Microsoft's security response center to sort out whether this is unrelated to the four other Word zero-days that remain unpatched. [See 12:58 pm update below].

"We believe this is a new vulnerability, making it the fifth currently unpatched Office file format vulnerability. While these documents are being used in a targeted attack consistent with previous cases, we have received different documents that use this same exploit from multiple organizations," according to a note from Eric Chien, a security response engineer at Symantec.

Chien said the rigged Word documents have each been designed specifically for the targeted organization in both language and content. This clearly suggests either corporate or government espionage, where sophisticated spear phishers use e-mail lures to trick targets into launching dirty .doc files.

The e-mails appear genuine -- coming from a colleague or someone within the organization that routinely send out group messages -- but the attached file comes with a dangerous payload that includes Trojan downloaders and backdoor programs that give an attacker access to a company's entire computer system.

This is why Microsoft's pre-patch guidance is so blunt: "Do not open or save Word files that you receive from un-trusted sources or that you receive unexpectedly from trusted sources."

If Redmond confirms this is a new (fifth) Word zero-day, a security advisory will be released to warn of the attacks and to provide potential workarounds.

[Update: According to Bugtraq ID 22328, this issue affects Microsoft Word 2003 Viewer, Microsoft Word 2003, Microsoft Office 2003 (SP1 and SP2)]

[Updated: January 31, 2007 @ 12:58 pm]  Just got a note from Microsoft's security response team.  The company's initial investigation shows that this is not a new vulnerability but a duplicate of an already known public issue.

Topics: Security, Microsoft, Software

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

3 comments
Log in or register to join the discussion
  • Microsoft admit that their products don't work??

    Frtom the article : "This is why Microsoft's pre-patch guidance is so blunt: "Do not open or save Word files that you receive from un-trusted sources or that you receive unexpectedly from trusted sources."

    Linux users do not have to worry that a document arriving by email will infect the underlaying Operating System with malicious software. Mac users do not have to worry that a document arriving by email will infect their Operating System with malicious software. In fact the ONLY Operating System which allows a word processing document to compromise the Operating System through its integrated email client, is Windows.

    And Microsoft's response? Well, it's at the start of this post. And translated into non-PR jargon, it says -

    "Yes, you are paying for an email system you cannnot use. That's right, you may want to send a document to a customer, but you CAN'T, because they don't know you. No, Microsoft DO still require full payment for the email client, even though you dare not use it for sending and receiving attachments, like other OS users. That is correct, most of the functionality we we claim is an integral part of Outlook - i.e, sending and receiving attachments - cannot be used. Of course you still have to pay. If you want an email client that won't compromise the underlaying OS, please pick an OS into which the email client wasn't embedded homogenously, in order to snuff out 3rd party competition. You don't like it? Tough".

    Why are so many people happy to pay Microsoft for the use of a product which Microsoft themselves warn the purchasers against using? Can anyone thinnk of another example in any other domain where such a blatantly unfit for purpose is still sold by the manufacturere, alongside dire warnings about not using it??
    whisperycat
  • A fifth MS Word zero-day flaw?

    Another example of MS not releasing patches on a regular basis. All they are really caring about is shoving Vista down everyone's throat. Why do you think they are delaying XP SP3 until '08 and releasing Vista SP1 sometime later this year? This is just another example of MS not really being concerned about consumers &/or businesses in general.

    Side note. I'm using NIS '07 on both my laptop & pc, both of which were custom built. NIS '07 is a far superior product than anything MS can manufacture from a security standpoint. Looking forward to downloading Sonar in a few weeks.

    Any comments would be appreciated.
    rondev
  • Don't worry unless you're one of the lucky few...

    Microsoft Word has now been effectively rendered a permanent source for exploit. The previous flaws will be patched in February, this one will be patched in March.

    The criminal data-mining industry has pretty much hit the sweet spot on timing and since they're showing restraint, the 900Lb. gorilla has plenty of time to work out patching Word, after all, there's no urgency. It's not like the sweaty-palmed teenager phase where Bad PR was generated when a fast spreading worm using these exploits was compromising hundreds of thousands of computers in a day.

    It is now a more cerebral and fun way of making a living as you need to get to know your target so you can best polish up your bait so it is targetted to the right person with the proper wrappings so it seems to be yet another corporate correspondance from the right person. You, the criminal data-miner have a more satisfactory job and your restraint pays off as Microsoft isn't overly worried about the 10-12 companies you successfully compromise, afterall what are they going to do, hire CNN to publicly announce they don't properly filter Word documents?
    Boomslang