Microsoft: Hackers Exploiting Unpatched Flaw in MS Word
Microsoft today warned Windows users to take extra care when opening e-mail attachments that contain Microsoft Word documents, as several new threats were spotted online exploiting an unpatched security flaw in the word processing program.
Redmond said the flaw is present in Microsoft Word XP and Word 2003, and that on Thursday the company "had received a report that a customer had been subjected to a very targeted attack using this vulnerability." Microsoft says customers using the Word Viewer to view documents don't have to worry about this flaw.
Vulnerability tracking company Secunia rated the flaw "extremely critical," its most dire warning level. Computer security vendor Symantec raised its threat alert level to 2 (4 being the most serious), after spotting at least two Trojan horse programs circulating online that exploit the vulnerability to install a program that allows the attack to take complete control over the infected machine. Symantec labeled the threats "Backdoor.Ginwui" and "Trojan.Mdropper.H"
According to Symantec, the Mdropper.H Trojan that exploits the new flaw may arrive in a file that looks something like this: NO.060517.doc.doc. Symantec said the Trojan appears to work in Microsoft Word 2003 and crashes Microsoft Word XP. Then the Ginwui backdoor program planted by Mdropper gathers system information and allows the attacker to access a command shell (that usually means game over for the victim PC) and take screen shots of whatever the user sees on his or her computer monitor. Ginwui also appears to connect to a Chinese server, no doubt controlled by whoever sent out the nastygram in the first place.
The SANS Internet Storm Center has a write-up with some good tips on how companies can avoid being whacked by this thing. For consumers, the most important thing is to avoid opening attachments that you are not expecting. Ensure your anti-virus software is up-to-date, and if you do open a Word document that arrives in e-mail, be sure to scan it with your anti-virus program first. This is not a perfect solution -- since anti-virus updates are usually released several hours after new virus threats surface -- so SANS recommends that users consider waiting between six to 12 hours to open any Word file that arrives as an e-mail attachment, just to give your anti-virus company time to catch up. Again, not a perfect solution, but that is probably a sound idea. Also, since Microsoft's Word Viewer program doesn't appear to be affected by this vulnerability, viewing any Word files that arrive in e-mail using that program might be a good idea.
We are starting to see a lot more of these targeted attacks, mainly because they are very successful. Most businesses now block executable programs as e-mail attachments, but for business reasons very few will nix Microsoft Word documents that arrive in e-mail.
Last month, I blogged about a very targeted attack against military personnel. How successful was it? Secure Science Corp., the company that discovered that particular attack, managed to locate the stash of data the criminals had stolen: They found 2,301 sets of online login credentials belonging to U.S. military personnel, potentially allowing access to various Department of Defense "service portals" such as MarineNet.mil and AKO (Army Knowledge Online).
The scammers' database also held other login informaiton from victims, including user names and passwords for 221 Bank of America accounts, 5,524 Gmail accounts, and 1,842 sets of Hotmail credentials.
Anyway, it may be a while before we see a patch from Redmond to fix this problem. Microsoft said its Office team "is hard at work on an update that addresses the vulnerability. It's in testing right now to make sure it's of the right quality for release. Right now we're on schedule to be released as part of the June security updates on June 13, 2006, or sooner as warranted."
May 19, 2006; 3:29 PM ET
Categories: Latest Warnings
Save & Share: Previous: When Spyware Performs as Advertised
Next: How Many Spams Can a Scammer Scam If a Spammer Can Scam Spams?
Posted by: Rich Gibbs | May 19, 2006 4:26 PM | Report abuse
Posted by: Bk | May 19, 2006 4:30 PM | Report abuse
Posted by: Matt | May 19, 2006 4:35 PM | Report abuse
Posted by: Dick Kolklayshr | May 20, 2006 11:50 AM | Report abuse
Posted by: anonymous | May 20, 2006 3:09 PM | Report abuse
Posted by: SpamSlayer | May 20, 2006 5:20 PM | Report abuse
Posted by: David John | May 20, 2006 11:07 PM | Report abuse
Posted by: Steve | May 21, 2006 1:17 AM | Report abuse
Posted by: Lewis Edginton | May 21, 2006 9:45 AM | Report abuse
Posted by: Anonymous | May 22, 2006 4:02 AM | Report abuse
Posted by: Mr Simple | May 22, 2006 5:53 AM | Report abuse
Posted by: Strange URLs from Andy/Patty/Sherry | May 22, 2006 2:01 PM | Report abuse
The comments to this entry are closed.