Zero day flaw in WORD allows exploits by Trojan

by Michael Smith (Veshengro)

Microsoft warned on July 10, 2008, that an unpatched security vulnerability in WORD has become the subject of targeted attacks.

Yet another security flaw in Microsoft products? You don't say... The more I see of Microsoft the more I wonder what kind of incompetence reigns there at Redmond.

The flaw – which, supposedly, is restricted, so they claim, to Microsoft Office WORD 2002 Service Pack 3 (one may wonder when they notice that it not just affects that one) – creates a mechanism for hackers to inject hostile code onto vulnerable systems. Redmond has published workarounds as a stop-gap measure while its researchers investigate the flaw in greater depth.

In the meantime, Microsoft is keen to downplay alarm. "At this time, we are aware of limited, targeted attacks attempting to use the reported vulnerability, but we will continue to track this issue," a post on its security response blog explains.

The vulnerability has appeared in a number of samples on malware. A widening number of anti-virus firms have issued signature updates to defend against the threat.

Symantec, acting on samples sent to it by handlers at the SANS Institute's Internet Storm Centre, was the first to publish an advisory.

Maybe a firewall would be advisable here as well that can prevent the injection of hostile code such as the recently tested – by me, due to my favorite Zonealarm having been disabled by the nice guys from Redmond with Microsoft Security Update for Windows KB951748 – PC Tools' free Firewall. It has an advanced facility that can prevent the injection of code. It can be annoying though when this is set as it will have the little window pop up every time that you launch a program, until it has learned which programs are allowed to do this and that.

The timing of the arrival of the exploit meant Microsoft had not enough time to respond before its regular “Patch Tuesday” update, This factor is probably no coincidence. So far the direct details of the flaw are still under investigation and it can be safely assumed that they will probably be withheld from the public and industry even until a fix is unavailable. It is also not at all clear as to who the attack is targeting and aimed at. However, historically unpatched WORD exploits are a particular favorite of Chinese hackers.

Seeing how clever Redmond was recently with Microsoft Security Update for Windows KB951748, which disabled most if not indeed all Zonealarm applications and so far we have no response from them as to that foul up, why should we trust them when they are so silent.

Many people seem to believe that the disabling of Zonealarm in the above mentioned patch was no coincidence but was in fact one of the aims.

Yet again, I cannot and will not comment further to such claims as they cannot, so far, be substantiated and proven. Let the reader, however, beware.

The best advice, I am sure, can only be here, yet again, to go Open Source, and to use and alternative to Microsoft Office. There are a number of them available and most are as good, at least, as MS Office.

As I, personally, am moving – work wise – between Linux and Windows all the time, I am using only, nowadays, Open Office 2.0 for all the work that generally would have been the domain of MS Office. This is with the exceptions as and when WORD needs to be used to work with some templates, for instance, such as Avery Dennison's ones, as they still do not have created an Open Office interoperability.

I am not saying that there may not be vulnerabilities in Open Office or the other Open Source products. The fact remains, though, that most hackers do not seem to even attempt to target such open source software and also operating systems. Or, more precisely, in the case of the operating systems, such as Linux Ubuntu, they try to get somewhere but do not succeed.

© M Smith (Veshengro), July 2008