Alert Raised for MS Word Zero-Day AttackBy Ryan Naraine | Posted 2006-05-19 Email Print
Modernizing Authentication — What It Takes to Transform Secure Access
A zero-day vulnerability in Microsoft Word is being used in specific, targeted attacks; The flaw is being exploited to deliver a rootkit-type backdoor that does reconnaissance on an infected machine and reports back to a server in China.
A zero-day flaw in the ubiquitous Microsoft Word software program is being used in an active exploit by sophisticated hackers in China and Taiwan, according to warnings from anti-virus researchers.
Symantec's DeepSight Threat Analyst Team has escalated its ThreatCon level after confirming the unpatched vulnerability is being used "against select targets."
The exploit arrives as an ordinary Microsoft Word document attachment to an e-mail. However, when the document is launched by the user the vulnerability is triggered to drop a backdoor with rootkit features to mask itself from anti-virus scanners.
The SANS ISC (Internet Storm Center) said in a diary entry that it received reports of the exploit from an unnamed organization that was targeted. "The e-mail was written to look like an internal e-mail, including signature. It was addressed by name to the intended victim and not detected by the anti-virus software," said Chris Carboni, an ISC incident handler tracking the attack.
When the .doc attachment is opened, it exploits a previously unknown vulnerability in Microsoft Word and infects a fully patched Windows system. The exploit functioned as a dropper, extracting and launching a Trojan that immediately overwrites the original Word document with a "clean," uninfected copy.
Read the full story on eWEEK.com: Alert Raised for MS Word Zero-Day Attack