Trojans Spread Via Zero-Day Word Vulnerability

Two different pieces of malware are spreading via an unpatched Microsoft word vulnerability. The Redmond Company has published on December 5, 2006, a security advisory warning of the detection of proof-of-concept code for a zero-day vulnerability in Word 2000, Word 2002, Office Word 2003, Word Viewer 2003, Word 2004 for Mac, and Word 2004 v. X for Mac, as well as Works 2004, 2005 and 2006.

The Redmond Company stated at that time that it was aware of limited exploits attempts targeting the vulnerability. Two days latter, security company Sophos has issued a public warning informing of the detection of two Trojan horses that spread through the Word flaw. Troj/DwnLdr-FXG and Troj/DwnLdr-FXH are being aggressively distributed via the unpatched flaw that - if successfully exploited - allows for remote code execution.

"It appears that hackers are deliberately creating malformed Word documents that result in a buffer overflow that can then run unauthorized code on the user's computer," said Graham Cluley, senior technology consultant for Sophos. "They can then tell the computer to download and run malware, such as these Trojan horses, opening the door for all kinds of malicious behavior."

Microsoft has not issued a security patch for the World vulnerability. It is possible that the software giant will address the flaw in the next monthly patch cycle scheduled for December 12, 2006. But due to the proximity of the reports concerning the zero-day vulnerability and security bulletins release date, it's also possible that Microsoft will issue an out of band release or deliver the security updates in January 2007.

"So far the vulnerability does not appear to be being widely exploited. Nevertheless, Microsoft will be keen to build at patch for the security hole as quickly as possible, and computer users should exercise caution about which Word documents they choose to open," added Cluley.