New zero-day
We have an update from Mark Allen:
Microsoft has finally published a KB article on this issue with stronger workarounds and mitigating factors. (It probably is worth repeating that only Word 2002 and Word 2003 are affected.)
They also write that the Word patch is on track for June patch day release (or sooner, if warranted.)
Stephen Toulouse has posted an update on the Word 0 day issue from last week. He writes:
The attack we’ve seen is email based. The emails tend to arrive in groups, they often have fake domains that are similar to real domains of the targets, but the targets are valid email addresses. Currently two of the subject lines we have seen are: Notice RE Plan for final agreement The attack we have seen so far requires admin rights, so limitations on user accounts can help here.
Conveniently, Stephen adds a link to a a really nice article from the Microsoft Security Developer Center titled Browsing the Web and Reading E-mail Safely as an Administrator. This is a great resource if your users have admin rights on their desktop systems -- there are ways to help stop malware from taking advantage of admin rights by following some of the recommendations in this column.
From Mark Allen:
The original ISC diary entry that broke the news of a previously unknown vulnerability in Microsoft Word being exploited to download a "full control" rootkit on infected desktop systems. (AV vendor F-Secure has a full write up of what the rootkit does, how it works, how it's installed, etc if you care about those details.)
Since this is a previously unknown vulnerability, there's no patch to stop this attack vector from working and the exploit is so new that many anti-virus vendors haven't been able to create/publish new signatures yet. (But even if every AV company already had new signatures, there's often a significant lag between publishing the updates and getting them installed on everyone's desktop.)
So that means users are the best defense right now. It's important to let users know that they need to exercise a lot more care about opening documents from emails. This is generally a security "best practice" anyway, but it bears repeating especially now.
Stephen Toulouse of Microsoft's MSRC blog writes
We've been made aware of a new vulnerability in Microsoft Word XP and Word 2003. Customers using the Word viewer to view documents are not impacted...
The Office team is hard at work on an update that addresses the vulnerability. It's in testing right now to make sure it's of the right quality for release. Right now we're on schedule to be released as part of the June security updates on June 13, 2006, or sooner as warranted. So until your AV is updated and this Office patch is rolled out, user education is the best defense unless you have the luxury to block all incoming Word document attachments at your email gateway.
Comments