Double Trouble: Microsoft Confirms Another Word Zero-Day Flaw

Microsoft’s security response center has confirmed that a second zero-day vulnerability in its Word software program is being targeted by unknown attackers.

The latest flaw comes just days after the software maker issued a security advisory to warn customers against opening Word documents from untrusted sources. The two vulnerabilities are entirely unrelated.

The flaws were discovered during actual code execution attacks against select targets and highlight the Redmond, Wash., vendor’s struggle to cope with gaping holes in one of its most widely used products.

According to a US-CERT advisory, the latest bug is a memory corruption issue that occurs when a Word file is rigged with malformed data structures. No other details were made available.

Microsoft has not yet issued a formal prepatch advisory but, in a blog entry, Security Program Manager Scott Deacon listed affected software versions as Word 2000, Word 2002, Word 2003 and the Word Viewer 2003.

He said Microsoft Word 2007 is not affected by the second vulnerability.

“From the initial reports and investigation we can confirm that the vulnerability is being exploited on a very, very limited and targeted basis,” Deacon added.

Click here to read about MS Office attacks being linked to corporate espionage.

Microsoft uses the “very limited, targeted attack” terminology to make a distinction between attacks that affect a broad number of customers randomly.

“Unlike these broad, random attacks, these very limited, targeted attacks are carried out against a very small number of customers [sometimes only one or two even] and are carried out in a very deliberate fashion against a specific organization or organizations,” according to Christopher Budd, a program manager in the MSRC (Microsoft Security Response Center).

“Where the goal of these broad, random attacks is large in scope, the goal of these very limited, targeted attacks is generally to introduce malicious software on to the systems of the specific organizations that have been targeted,” he explained.

Click here to read more about MS Excel zero-day attacks.

For most of 2006, flaw finders and attackers have been pounding away at Microsoft Office applications, discovering new ways to attack millions of Windows machines. The zero-day attacks against Word, Excel and PowerPoint users have all the characteristics of corporate espionage—where Trojan horse programs are used to drop keyloggers and data theft malware programs on target systems.

In almost all of the Microsoft Office attacks, e-mail is used as the initial infection vector, with social engineering lures to run attachments, according to Websense Security Labs, in San Diego. The exploits then connect to remote sites to download additional payloads, including rootkits capable of hiding from anti-virus and other security software.

“Although attacks in the past have been limited in target numbers, business sectors and regions, there is a potential for more widespread attacks with this Word zero-day,” according to a Websense alert.

There are no prepatch workarounds available for either of the Word flaws.

Microsoft suggests that users “do not open or save Word files,” even those that arrive unexpectedly from trusted sources.

“As a best practice, users should always exercise extreme caution when opening unsolicited attachments from both known and unknown sources,” the company said.

Users who have installed and are using the Office Document Open Confirmation Tool for Office 2000 will be prompted with Open, Save or Cancel before a file is opened. This offers a minor warning mechanism for Word users.

Microsoft plans to issue six security bulletins as part of its December batch of patches, but there are no Office fixes on tap. Unless an out-of-cycle update is shipped, the Word flaws will remain unpatched until at least Jan. 9, 2007.

Check out eWEEK.com’s Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Ryan Naraine’s eWEEK Security Watch blog.