Microsoft Issues Word Zero-Day Attack Alert

Discussion in 'other security issues & news' started by ronjor, Dec 6, 2006.

Thread Status:
Not open for further replies.
  1. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,755
    Location:
    Texas
    Story
     
  2. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,697
    Hello,
    This is where OpenOffice comes into play.
    Mrk
     
  3. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,755
    Location:
    Texas
    In the meantime, keep your bases covered.

    Secunia
     
  4. NICK ADSL UK

    NICK ADSL UK Administrator

    Joined:
    May 13, 2003
    Posts:
    9,217
    Location:
    UK
    Microsoft Security Advisory (929433)
    Vulnerability in Microsoft Word Could Allow Remote Code Execution

    Microsoft is investigating a new report of limited “zero-day” attacks using a vulnerability in Microsoft Word 2000, Microsoft Word 2002, Microsoft Office Word 2003, Microsoft Word Viewer 2003, Microsoft Word 2004 for Mac, and Microsoft Word 2004 v. X for Mac, as well as Microsoft Works 2004, 2005, and 2006.

    In order for this attack to be carried out, a user must first open a malicious Word file attached to an e-mail or otherwise provided to them by an attacker.

    As a best practice, users should always exercise extreme caution when opening unsolicited attachments from both known and unknown sources.

    Upon completion of this investigation, Microsoft will take the appropriate action to help protect our customers. This may include providing a security update through our monthly release process or providing an out-of-cycle security update, depending on customer needs.

    http://www.microsoft.com/technet/security/advisory/929433.mspx
     
  5. Pedro

    Pedro Registered Member

    Joined:
    Nov 2, 2006
    Posts:
    3,502
    lol, MrK you never miss an opportunity:D
    I guess you can't help it,
    Someone
     
  6. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Assuming that this exploit is similar to the others, here is a description of what happens:

    Microsoft Word 0-day Vulnerability FAQ - September 2006
    http://blogs.securiteam.com/?p=586

    Q: Are there any visual effects informing about the infection?
    A: No.

    Q: Are there any changes to file system made by related malware?
    A: Yes. The file WINWORD.EXE is being dropped to the Windows %Systemroot% folder.

    When the related worm activates it will drop the following files:
    Windows\System32\clipbook.exe [30,720 bytes]
    Windows\System32\clipbook.dll [33,713 bytes]
    --------------------------------------------

    Of course, no one would knowingly run such a .doc file :)

    But in case of an inadvertant instance, such remote code execution is easily blocked from installing executables by many products today.

    -rich


    ________________________________________________________________
    "Talking About Security Can Lead To Anxiety, Panic, And Dread...
    Or Cool Assessments, Common Sense And Practical Planning..."
    --Bruce Schneier​
     
  7. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,755
    Location:
    Texas
  8. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,755
    Location:
    Texas
    Exploit Code Targets Third Microsoft Zero-Day Word Bug
    Story
     
  9. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,755
    Location:
    Texas
    Exploit for Word also works with OpenOffice
    Story
     
  10. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,697
    Hello,

    But the second part of the article:

    "It has not yet, however, been demonstrated that code can be injected via this weak point in OpenOffice. But there are unconfirmed reports that this is possible."

    The program crash versus System infection ...

    Mrk
     
Loading...
Thread Status:
Not open for further replies.