Zero-day Word flaw used in attack
By Joris Evers
Staff Writer, CNET News.com
Published: May 19, 2006, 11:32 AM PDT
A new, yet-to-be-fixed security hole
in Microsoft Word exposes computer users to cyberattack, Symantec warned
Friday.
Would-be intruders already have
attempted to compromise PCs at a Japanese government entity by exploiting the
flaw, Vincent Weafer, the senior director at Symantec Security Response, said
in an interview. In response, Symantec has raised its ThreatCon to Level 2,
which means an outbreak is expected.
"What we're seeing is a
continuation of the targeted threat using zero-day vulnerabilities,"
Weafer said. (Zero-day flaws are ones for which no patch exists.) "We got
it from a single large customer inside Japan. We have not seen anyone else get
it."
Microsoft is readying a security update for Word that
repairs this vulnerability, a company representative said in an e-mailed
statement. The fix is scheduled to be released as part of the June 13 security
updates, or sooner, if warranted, the representative said.
The malicious software arrives as a
Microsoft Word file attachment to an e-mail message. When the document is
opened by the user, the vulnerability is triggered. In the Japanese case, the
Word document actually displayed some text related to a treaty with China, but
while the text was displayed, a backdoor was installed on the system, Weafer
said. Backdoor software allows intruders to enter computers surreptitiously.
"The backdoor in turn pings an
IP address located in Asia. It just pings to say it is available, but then, of
course, you have a backdoor on your system," he said.
The vulnerability was confirmed in
Word 2003, Symantec said. The malicious file caused Word 2000 to crash, but did
not run the malicious payload, it added.
Exploitation of the security hole so
far is only known as part of a single, targeted attack, Symantec said.
"However, with the disclosure of this previously unknown vulnerability,
new attackers may begin to exploit it in a widespread manner," the
Cupertino, Calif., security company said in an advisory sent to customers.
The targeted attack can bypass spam
filters, and Symantec's antivirus software doesn't yet detect the particular
Word file as malicious, Weafer said. "We are looking at the vulnerability
itself, in terms of generic blocking," he said, adding that the security
software does detect the backdoor and the installer of the backdoor.
Microsoft and Symantec urge caution
in the opening of Word documents received as an unexpected e-mail attachment.