Network News

X My Profile
View More Activity

Microsoft: Hackers Exploiting Unpatched Flaw in MS Word

Microsoft today warned Windows users to take extra care when opening e-mail attachments that contain Microsoft Word documents, as several new threats were spotted online exploiting an unpatched security flaw in the word processing program.

Redmond said the flaw is present in Microsoft Word XP and Word 2003, and that on Thursday the company "had received a report that a customer had been subjected to a very targeted attack using this vulnerability." Microsoft says customers using the Word Viewer to view documents don't have to worry about this flaw.

Vulnerability tracking company Secunia rated the flaw "extremely critical," its most dire warning level. Computer security vendor Symantec raised its threat alert level to 2 (4 being the most serious), after spotting at least two Trojan horse programs circulating online that exploit the vulnerability to install a program that allows the attack to take complete control over the infected machine. Symantec labeled the threats "Backdoor.Ginwui" and "Trojan.Mdropper.H"

According to Symantec, the Mdropper.H Trojan that exploits the new flaw may arrive in a file that looks something like this: NO.060517.doc.doc. Symantec said the Trojan appears to work in Microsoft Word 2003 and crashes Microsoft Word XP. Then the Ginwui backdoor program planted by Mdropper gathers system information and allows the attacker to access a command shell (that usually means game over for the victim PC) and take screen shots of whatever the user sees on his or her computer monitor. Ginwui also appears to connect to a Chinese server, no doubt controlled by whoever sent out the nastygram in the first place.

The SANS Internet Storm Center has a write-up with some good tips on how companies can avoid being whacked by this thing. For consumers, the most important thing is to avoid opening attachments that you are not expecting. Ensure your anti-virus software is up-to-date, and if you do open a Word document that arrives in e-mail, be sure to scan it with your anti-virus program first. This is not a perfect solution -- since anti-virus updates are usually released several hours after new virus threats surface -- so SANS recommends that users consider waiting between six to 12 hours to open any Word file that arrives as an e-mail attachment, just to give your anti-virus company time to catch up. Again, not a perfect solution, but that is probably a sound idea. Also, since Microsoft's Word Viewer program doesn't appear to be affected by this vulnerability, viewing any Word files that arrive in e-mail using that program might be a good idea.

We are starting to see a lot more of these targeted attacks, mainly because they are very successful. Most businesses now block executable programs as e-mail attachments, but for business reasons very few will nix Microsoft Word documents that arrive in e-mail.

Last month, I blogged about a very targeted attack against military personnel. How successful was it? Secure Science Corp., the company that discovered that particular attack, managed to locate the stash of data the criminals had stolen: They found 2,301 sets of online login credentials belonging to U.S. military personnel, potentially allowing access to various Department of Defense "service portals" such as MarineNet.mil and AKO (Army Knowledge Online).

The scammers' database also held other login informaiton from victims, including user names and passwords for 221 Bank of America accounts, 5,524 Gmail accounts, and 1,842 sets of Hotmail credentials.

Anyway, it may be a while before we see a patch from Redmond to fix this problem. Microsoft said its Office team "is hard at work on an update that addresses the vulnerability. It's in testing right now to make sure it's of the right quality for release. Right now we're on schedule to be released as part of the June security updates on June 13, 2006, or sooner as warranted."

By Brian Krebs  |  May 19, 2006; 3:29 PM ET
Categories:  Latest Warnings  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: When Spyware Performs as Advertised
Next: How Many Spams Can a Scammer Scam If a Spammer Can Scam Spams?

Comments

Two quick questions / observations:

1. Is the MS Word Viewer program also vulnerable to these same attacks? (Probably it is, but only MS can really know.) If it is _not_, then using the Viewer to look at attachments might be a good work-around. (The Viewer is available free from MS's Web site.)

2. Another possibility (which SANS mentioned in the "Handler's Diary" entry) is to use Open Office to open '.doc' attachments. OO is a big enough program that it certainly has vulnerabilities of its own -- but hopefully, they are _different_ vulnerabilities.

Finally, it is worth emphasizing that this was a targeted attack which employed very plausible "social engineering": apparently internal e-mail, plausible subjects & signatures, etc.

Rich Gibbs

Posted by: Rich Gibbs | May 19, 2006 4:26 PM | Report abuse

Rich -- Microsoft says customers using the Word viewer to view documents don't have to worry about this flaw. I've updated the blog to include this information. Thanks.

Posted by: Bk | May 19, 2006 4:30 PM | Report abuse

It should be noted that users who are not running as administrators on their machines will have a much lower risk of being exploited.

The exploit attempts to write to several file and registry locations that normal users do not have write access to.

Posted by: Matt | May 19, 2006 4:35 PM | Report abuse

Why would anyone want to use Microsoft Windows XP or Windows 2003 and Microsoft Word anyway? Get away from that garbage and have a lot easier life! Anything but Microsoft.

Posted by: Dick Kolklayshr | May 20, 2006 11:50 AM | Report abuse

http://www.msboycott.com/thealt/alts/word.shtml
http://www.atlantiswordprocessor.com/en/

MS Alternatives have always proved to be the safest way to go for me. NO AV Software or AntiSpyware software installed. Only a small decent firewall, and microsoft alternatives. I haven't had a virus since MSBLAST. Spyware shows up only in the form of pitiful unremoved cookies.

Firefox browser and Thunderbird for mail, Atlantis for Word. I'd never use Windows Media Player! Check out Media player classic. Also look into the Adobe alternatives for PDF's that aren't auto loading memory hogs.

Grab a hosts file, configure your firewall to allow only TCP with the apps you need on their ports, and block everything else. It's pretty simple. Disable your services (tons of them)At least four services running now are sitting listening for connections. Also disable netBIOS, LSPs other than winsock, DCOM, and use socketlock to allow only the system raw access...

Most of all, don't use Internet Explorer, Win Explorer or variations(like the yahoo browser).

Posted by: anonymous | May 20, 2006 3:09 PM | Report abuse

A very simple fix to all this... use DropMyRights from Microsoft to lower system permissions for all internet-facing programs, including your email client, browsers, usenet client, any filtering programs for email and usenet (SpamPal, Hamster Playground, etc.), any networking tools (Sam Spade, etc.), IM programs (Miranda, YIM, etc.), P2P file-sharing programs (LimeWire, etc.), any music-playing programs that access the internet (Windows Media Player), etc., etc...

This allows a person to continue running in an Administrator context, but drop system permissions for any 'at-risk' programs. Since running in a non-Administrator context often results in more problems than it solves, this solution works very well.

When a program is opened from another program (such as launching MS Word by opening a .doc attachment from your email client), the opened program (in this case, MS Word) will inherit the permissions of the program that launched it (in this case, your email client)... meaning it'll not have the system permissions to allow the virus to infect the PC.

I do this for all the clients I perform IT work for, and it's saved them numerous times.

Here's a link to DropMyRights:
http://msdn.microsoft.com/security/securecode/columns/default.aspx?pull=/library/en-us/dncode/html/secure11152004.asp

And a shell extension for DropMyRights:
http://blogs.msdn.com/michael_howard/archive/2004/12/23/331606.aspx

Posted by: SpamSlayer | May 20, 2006 5:20 PM | Report abuse

How long are Windoze users expected to put up with this crap. Just buy a Mac!

Posted by: David John | May 20, 2006 11:07 PM | Report abuse

An executable file with a document extension and nothing in Microsoft's software things that is unusually. No warning, no blocking, just automatically running an executable when the user would think they were just launcing Word. No wonder users have problems with this kind of simplistic approach by Microsoft.

Surely users are entitled to better protection.

Posted by: Steve | May 21, 2006 1:17 AM | Report abuse

Everyone who has any computer knowledge knows that MS products are vunerable to viruses etc... Yet they are still very widly used, the alternative products are always as good as or in a lot of cases better than the the MS product. I am typing this now on my linux-based machine running mozilla firefox as my browser. I haven't EVER had a virus.

Posted by: Lewis Edginton | May 21, 2006 9:45 AM | Report abuse

This is a VERY targeted attack. Person who released information to public was attempting to "out" the attackers for personal gain.

Posted by: Anonymous | May 22, 2006 4:02 AM | Report abuse

I love the post that begins: "A very simple fix to all this..." I'd hate to see something that was tough to fix. :D

Posted by: Mr Simple | May 22, 2006 5:53 AM | Report abuse

Does anyone know what the the comments from:

Posted by: Andy | May 21, 2006 09:54 AM
Posted by: Patty | May 21, 2006 11:01 AM
-or-
Posted by: Sherry | May 21, 2006 11:04 AM

are supposed to mean? I can't find any info on the their listed domains through 'nslookup' or 'whois'; google doesn't know about them either. Is it just goobeldy gook or typos? Perhaps they are in cahoots?!

Posted by: Strange URLs from Andy/Patty/Sherry | May 22, 2006 2:01 PM | Report abuse

The comments to this entry are closed.

 
 
RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company