There's another Microsoft Word zero-day attack under way.
Microsoft on Sept. 5 confirmed that malicious attackers are exploiting a new, undocumented flaw in Word 2000 to load back-door Trojans on Windows machines.
The acknowledgment follows a warning from anti-virus vendor Symantec that the threat was detected in the wild targeting Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003 and Windows XP systems.
A spokesman for Microsoft said the Redmond, Wash., vendor's security response team has investigated the report and concluded that the attack is limited to users of Word 2000. "[We are aware of] an attack scenario that involves malware known as Win32/Wordjmp and Win32/Mofeir," the spokesman said, adding that definition updates have been rolled out to the company's free Windows Live OneCare safety scanner for detection and removal.
Security alerts aggregator Secunia rates the flaw as "extremely critical" and urged Word users to avoid opening Word documents from untrusted sources.
Microsoft advises: Use Microsoft Word in safe mode. <u>Click here</u> to read more.
I will post more information as I obtain it.
<hr>
The MDropper-Q Trojan downloader, recently detected by Symantec, takes advantage of the unspecified zero-day vuln to load other malware onto compromised PCs, including a backdoor Trojan called Backdoor-Femo, which surrenders control of compromised PCs to hackers. The attack is dangerous but not, as yet, widespread.
Documents incorporating the exploit code must be opened with a vulnerable copy of Microsoft Word 2000 for the attack to succeed, so the exploit doesn't lend itself towards the creation of self-replicating network worms.
Users are advised not to open untrusted documents until Microsoft patches the vulnerable software, in this case Word and Office 2000. Symantec is holding back on releasing details of the vulnerability
pending a fix from Microsoft.
A previous version of MDropper attempted to target users of Microsoft's Office 2003 suite of applications. As Symantec notes: "Microsoft Office vulnerabilities are a great platform for social engineering and email based attacks."
------------------
Bob "Wiz" Feinberg
Moderator of the SGF Computers Forum
<small>Visit my Wiztunes Steel Guitar website at: http://www.wiztunes.com/
or my computer troubleshooting website: Wizcrafts Computer Services,
or my Webmaster Services webpage.
Learn about current computer virus and security threats here.
Read Wiz's Blog for security news and update notices</small>
<font size="1" color="#8e236b"><p align="center">[This message was edited by Wiz Feinberg on 05 September 2006 at 06:51 PM.]</p></FONT><font size="1" color="#8e236b"><p align="center">[This message was edited by Wiz Feinberg on 05 September 2006 at 06:54 PM.]</p></FONT>
New Security Alert Affecting MS Word 2000
Moderator: Wiz Feinberg
-
Wiz Feinberg
- Posts: 6113
- Joined: 8 Jan 1999 1:01 am
- Location: Mid-Michigan, USA
-
Wiz Feinberg
- Posts: 6113
- Joined: 8 Jan 1999 1:01 am
- Location: Mid-Michigan, USA
I just read about this new vulnerability, in Word 2000, on the Microsoft Technet. Here is their recommended temporary workaround, until a patch can be issued.
Workarounds for Microsoft Word Remote Code Vulnerability:
Microsoft has tested the following workarounds. While these workarounds will not correct the underlying vulnerability, they help block known attack vectors. When a workaround reduces functionality, it is identified in the following section.
• Use Word Viewer 2003 to open and view files. Word Viewer 2003 does not contain the vulnerable code and is not susceptible to this attack. To download the Word Viewer 2003 for free, visit the following website.
• Do not open or save Word files that you receive from un-trusted sources or that you receive unexpectedly from trusted sources.
This vulnerability could be exploited when a user opens a specially crafted Word file.
• We recommend that customers exercise extreme caution when they accept file transfers from both known and unknown sources. For more information about how to help protect your computer while you use MSN Messenger, visit the MSN Messenger Frequently Asked Questions Web site.
------------------
Bob "Wiz" Feinberg
Moderator of the SGF Computers Forum
<small>Visit my Wiztunes Steel Guitar website at: http://www.wiztunes.com/
or my computer troubleshooting website: Wizcrafts Computer Services,
or my Webmaster Services webpage.
Learn about current computer virus and security threats here.
Read Wiz's Blog for security news and update notices</small>
<font size="1" color="#8e236b"><p align="center">[This message was edited by Wiz Feinberg on 06 September 2006 at 06:14 PM.]</p></FONT>
Workarounds for Microsoft Word Remote Code Vulnerability:
Microsoft has tested the following workarounds. While these workarounds will not correct the underlying vulnerability, they help block known attack vectors. When a workaround reduces functionality, it is identified in the following section.
• Use Word Viewer 2003 to open and view files. Word Viewer 2003 does not contain the vulnerable code and is not susceptible to this attack. To download the Word Viewer 2003 for free, visit the following website.
• Do not open or save Word files that you receive from un-trusted sources or that you receive unexpectedly from trusted sources.
This vulnerability could be exploited when a user opens a specially crafted Word file.
• We recommend that customers exercise extreme caution when they accept file transfers from both known and unknown sources. For more information about how to help protect your computer while you use MSN Messenger, visit the MSN Messenger Frequently Asked Questions Web site.
------------------
Bob "Wiz" Feinberg
Moderator of the SGF Computers Forum
<small>Visit my Wiztunes Steel Guitar website at: http://www.wiztunes.com/
or my computer troubleshooting website: Wizcrafts Computer Services,
or my Webmaster Services webpage.
Learn about current computer virus and security threats here.
Read Wiz's Blog for security news and update notices</small>
<font size="1" color="#8e236b"><p align="center">[This message was edited by Wiz Feinberg on 06 September 2006 at 06:14 PM.]</p></FONT>