Unofficial Registry Script Blunts MS Word Zero-Day AttackBy Ryan Naraine | Posted 2012-05-03 Email Print
Modernizing Authentication — What It Takes to Transform Secure Access
Internet security experts recommend that Windows users implement software restriction policies to reduce the effects of ongoing zero-day attacks against a code execution flaw in Microsoft Word.
In the absence of a patch for a dangerous code execution hole in Microsoft Word, security experts are recommending that Windows users implement software restriction policies to blunt the effects of ongoing zero-day attacks.
Just days after anti-virus vendors warned that malicious hackers with links to China and Taiwan were exploiting the vulnerability to launch attacks against select business targets, independent researcher Matthew Murphy says Windows XP users can mitigate the risk by simply using the "Basic User" SRP (software restriction policy).
"By using the Basic User SRP, users can launch Microsoft Word without the ability to write to certain registry and file system locations that the in-the-wild malware requires access to," Murphy said in an entry on the SecuriTeam blog.
"This is a stop-gap measure based on the threat profile of the malware at this time and is only necessary if you're still running interactively as an administrator," he added.
"If you are, it should be a priority to change that if at all possible," said Murphy, a security researcher who has worked closely with Microsoft's security response center in the past.
"[O]rganizations and individuals who follow best-practice and log on interactively as non-administrators are currently not at risk. Based on feedback, I should also note that you are at less risk from any exploit of this vulnerability if the vulnerable application is running without full privilege," he added.
Murphy also released a registry script that sets a Software Restriction Policy that runs any instance of 'winword.exe' with the 'Basic User' policy.
He made it clear that the effectiveness of registry fix script is entirely based on known characteristics of the payload and warned that future variants may alter the way the flaw is exploited.
Read the full story on eWEEK.com: Unofficial Registry Script Blunts MS Word Zero-Day Attack