Symantec intercepts Microsoft Word exploit

Symantec intercepts Microsoft Word exploit

Summary: Just 24 hours after Microsoft shipped a patch for a critical vulnerability affecting Microsoft Word, researchers at Symantec say they have intercepted a malicious Word .doc rigged with a backdoor Trojan.


Symantec intercepts Microsoft Word exploitJust 24 hours after Microsoft shipped a patch for a critical vulnerability affecting Microsoft Word, researchers at Symantec say they have intercepted a malicious Word .doc rigged with a backdoor Trojan.

The malicious document exploits the workspace memory corruption remote code execution flaw patched in the MS07-060 and signals a renewed push by malware authors to release exploits immediately after Patch Tuesday.

Symantec researcher Orla Cox noted that exploitation of these types of vulnerabilities are very targeted -- aimed at specific companies -- and limited in nature.

In the Patch Tuesday bulletin, Microsoft confirmed that the flaw was being exploited in the wild.

In this instance, the rigged file is named "hope see again.doc" and arrives via e-mail. When the document is opened on an unpatched machine, the exploit drops a Trojan that uses rootkit techniques to avoid detection. The Trojan may also disable security software and programs.

To avoid suspicion, it also creates and opens a clean Word .doc written in Chinese with the same file name.

Symantec warns that the end result is a backdoor on the compromised computer that connects to a Chinese Web site on TCP port 80.

Topics: Malware, Collaboration, Microsoft, Security, Software

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • And that's why undisclosed/secret patches are not kosher

    I have suggested many times before that, as is obviously apparent here, reverse engineering of the patch has occurred and this reverse engineering lead to an exploit. In this case, the change is known, the reason for the patch is listed, and anyone in IT can therefore know what the root cause may be for any patch problems. This is as it should be.

    The point I am making now is simply that contrary to what MANY posted as unfounded poppycock, the patches are reverse engineered and changes are exploited. Had this change been piggybacked (undisclosed update as happened recently) on another change, the exploit could be in the wild without IT or anyone knowing there was a problem.

    They postponed the "published" patch thinking they, oh, don't allow ActiveX while the undocumented flaw that is hidden in the patch is now being exploited.

    Congrats to MS on fixing the flaw, get your systems updated, etc. MS might want to share the patch specifics with security vendors before release, because 24 hours is pretty short, but it is a continuous improvement process.

    • and shows why pre-disclosure is so bad

      As when 'security' teams, members, or vendors disclose a vulnerability before the maker has created and released the fix.

      Of course the criminals use all this information - for them it's a game.

      Which makes one wonder how the egotistical or otherwise 'abstracted' persons in the security community can be so stupid, or go so long undisciplined.
      Narr vi
  • You may want to mention it affects Macintosh systems and not Windows.

    • No, it affect Windows users

      Reading Symantec's report I see that it talks about "hkey...". That would be Windows. I believe that the nasty is delivered in a Word doc created by MS Word for Mac and that it targets Windows users.
      • Possibly. The article could be taken either way but... seems more likely it would target Windows.
    • Systems affected

      Systems Affected: Windows 2000, Windows Server 2003, Windows Vista, Windows XP

      Ryan Naraine
      • You forgot one:

        "This is a critical security update for supported editions of Microsoft Office 2000,
        Microsoft Office XP, and [b]Microsoft Office 2004 for Mac[/b]. For more information,
        see the subsection, Affected and Non-Affected Software, in this section."
        • trapped by your own words

          You really slipped here, ye, going by your usual diatribe.

          So you admit that Microsoft managed to insert its poison into other platforms. And it that it is able to do this because it acted as a monopolist, and drove out all word-processing competition (some of which was tending towards being very good) from the Macintosh platform.

          Of course this was all before your time, and you probably don't even recognise the contribution of Simonyi, who did innovate at Microsoft at the time, being responsible for what was good about Microsoft Word at the time.

          I sometimes think that there is no-one among the young who knows anything about making anything. And so you shoot your mouths off about who might be 'better'. While supporting the only safety you know within what seems to be the status quo.

          Things changed before, though, and they will again.
          Narr vi
          • Trapped? How?

            "You really slipped here, ye, going by your usual diatribe."

            Nice Ad Hom there. Tell me, how does it feel to be so full of hate for a particular company that it consumes you?
        • The exploit, not the vulnerability

          The exploit only affects Windows users.

          Ryan Naraine
  • RE: Symantec intercepts Microsoft Word exploit

    Got to work today...Big Norton AV downlaoad on the first workstation I checked and guess what....???? Immediately it showed that this station had a virus.. When the "Gal" and I use it loosly, came in I again told her that this was the last time I wanted to see that she had been checking out the soaps on the internet during her lunch. System OS win XP. All the other Stations except mine have 2000 Pro and none were infected.. sleep well