14 DAY TRIAL // Moving from vulnerabilities to patches and then to the ensuing exploits is a natural order of security evolution for Microsoft products. And the company's monthly patch cycle comes only to confirm this trend. In the aftermath of the security bulletins issued on October 9, 2007, exploits appeared targeting an initially privately reported vulnerability in Word from Office 2000 Service Pack 3, Office XP Service Pack 3 and Microsoft Office 2004 for Mac. Microsoft informed that Office 2003 Service Pack 2, and the recently launched Service Pack 3, as well as the Office 2007 System are not impacted by the vulnerability.
The Word Memory Corruption vulnerability can be exploited by taking advantage of the manner in which Word manages specially crafted Word files, involving malformed strings. Microsoft rated the security vulnerability at a maximum level of Critical because it allows for remote code execution. This is of course a client side security flaw, meaning that user interaction is mandatory for a successful exploit. Just executing a malformed Word file would trigger the vulnerability.
"Today we had an interesting sample shared with us. It was a Microsoft Word document which, when opened, was simply crashing Word. We tried using various combinations of Word versions, patches and languages, and in each case (with the exception of Office 2007) opening the document would cause Word to crash. After taking a closer look, we could see that the document contained shell code and three other pieces of malware. What was interesting about the document was that it wasn't in OLE format, meaning that it wasn't a standard Microsoft Office document. After some investigation we determined that the document had actually been created using Word for Macintosh", Orla Cox, Symantec Security Response Engineer.
Symantec confirmed that the malformed Word sample they were analyzing, just an item from the attacks targeting Word, was in fact targeting the vulnerability that Microsoft patched on October 9. At this point in time, all you have to do is deploy the security update from Microsoft Security Bulletin MS07-060 addressing the critical flaw in Word, in order to render all exploit attempts useless. Additionally, if you are already running Office 2007 or Office 2003 SP3, you are safeguarded against these attacks.
On top of the issue reported by Symantec, security company Sophos also revealed that Office documents have come into the focus of attackers. "Due to the complexity of the exploits required to execute these kinds of attack, most exploited documents will contain only one or two files. The exploited document I looked at today was no exception, however it did have an interesting twist. It drops a single piece of malware which is mated to the exploited document; when run, it searches the user's system until it finds the document it originated from and then extracts three more pieces of malware from the document. That's a total of four separate pieces of malware from one document. These other nasties are identified as: Troj/AntiHIP-A, Troj/AntiHIP-B, Troj/DDrop-C and Troj/KillAV-EB," explained Chris Mitchell, SophosLabs Australia.