Microsoft Word Vulnerability Spawns Zero-Day Exploit
By Doug Edelman (05/27/06)
Symantec, McAfee, F-Secure and other vendors in the computing security community are warning that a Zero-Day exploit of a vulnerability in Microsoft Word has been discovered. A Zero-Day exploit refers to a previously unknown vulnerability that is discovered only after and attack has already exploited it. Such attacks are particularly dangerous, as antivirus software offers little or no protection against a zero-day exploit.
Discovered May 19, as a result of a single targeted attack against a Japanese government office, the vulnerability in Word allows the malicious code to be transmitted via a Word Document.
Opening the document in Word 2003 installs the Trojan. If opened in Word 2000, the document crashes the program, and doesn't install the Trojan.
Symantec has designated the Trojan as Backdoor.Ginwui, and it has designated the Word 2003 document that carries it as Trojan.Mdropper.H. Ginwui is a fully featured backdoor with rootkit characteristics.
Opening the malicious document opens a backdoor which then pings an Asian IP address in order to receive commands from a hacker. The backdoor permits the hacker to do any of the following on an infected computer:
* Create, read, write, delete and search for files and directories
* Access and modify the Registry
* Manipulate services
* Start and kill processes
* Take screenshots
* Enumerate open windows
* Create its own application window
* Get information about infected computer
* Lock, restart or shutdown Windows
* Create a pipe and read files from it
* Start a remote command shell
* Enumerate network resources
To date, exploitation of this vulnerability has been very limited. However, as attackers learn how to exploit the new vulnerability, there will be more widespread attacks. Antivirus vendors have already updated their signatures to remove the infection, however the Word remains vulnerable until Microsoft issues a patch for Word 2003.
Microsoft's next Patch Tuesday is scheduled for June 13.
Copyright © 2006 by Doug Edelman
(Printer friendly version) Email: Doug Edelman
