Beware Active Microsoft Word Vulnerability, Rogue Browser

Microsoft moves to patch a “zero-day” Word vulnerability. Meanwhile in a first, a new worm arrives bearing its own browser—the better to launch drive-by download attacks.

A current attack, first seen in the wild, targets a previously undisclosed flaw in Microsoft Word. Vulnerability information provider Secunia warns the flaw “is being actively exploited,” and rates it as “extremely critical.”

While the exact Microsoft Word flaw or flaws haven’t been publicly detailed, what we have learned is that the attack uses a combination of a worm and a Trojan back door to exploit various versions of Microsoft Word. The vulnerability affects Microsoft Office 2003 (Professional Edition, Small Business Edition, Standard Edition, Student and Teacher Edition), Microsoft Office XP, plus Microsoft Word 2002 and 2003.

In an online posting to its Web site, researchers at Microsoft say they’re investigating the vulnerability; there’s currently no patch. They also note that for the attack to be effective, there is a social engineering component: users must “first open a malicious Word document attached to an e-mail, or otherwise provided to them by an attacker.”

Security researchers note the worm involved in the attack may arrive in a Word document, Excel spreadsheet, or PowerPoint slide. For example, one malicious Word document is known variously as Trojan.Mdropper.H or Trojan-Dropper.MSWord.1Table.bd. Opening the document causes the Trojan dropper to run and download an application called Backdoor.Ginwui. According to Symantec, “this back door allows a remote attacker to gather system information and execute code on the attacked machine.”

This back door also hides its tracks. “Once you download and try to open the infected file, it shows an error message. If you click on ‘Retry,’ the malicious file is replaced by a clean one,” notes security researcher Arti Taru of MicroWorld Technologies. By then, however, it’s probably too late: the Trojan dropper is on the PC, and has likely already downloaded the software back door too.

The good news: so far this attack doesn’t seem to be a serious security threat since it “is not spreading widely, because it seems to be targeted at specific, large organizations,” notes Vincent Weafer, senior director at Symantec Security Response.

Regardless, until Microsoft issues a patch, as Secunia says, “do not open untrusted Office documents.” To be safe, make this an ongoing mantra. “Though the Trojan and back door in question have already been identified, fresher attacks are anticipated with newer breeds and variants,” says Taru.

Worm Arrives Bearing Browser

In other vulnerability news, researchers from FaceTime Communications discovered a Yahoo Messenger worm that blocks Internet Explorer, installs its own lightweight browser to download spyware, then blares looped guitar music which users can’t deactivate.

“This is one of oddest and more insidious pieces of malware we have encountered in years,” says Tyler Wells, a researcher at FaceTime.

The self-propagating worm, yhoo32.explr, first installs “Safety Browser,” an application which comes with no uninstall feature, and which may disguise itself with an Internet Explorer icon. The application loads the Safety Browser homepage at demoplanet.tv, which initiates a spyware download. Then, bizarrely, it plays looped electronic guitar music which users can’t deactivate—even after restarting their PC or deactivating the Safety Browser program. The worm also sends a version of itself (as an .exe file) to everyone on an infected PC’s Yahoo Messenger contact list.

What’s especially interesting about this worm is “this is the first recorded incidence of malware installing its own Web browser on a PC without the user’s permission,” says Wells.

These so-called “rogue” browsers are a useful way to circumvent many antivirus or anti-malware controls to illicitly install and run attack code. Perhaps not surprisingly, says Wells, “rogue browsers seem to be the hot new thing among hackers.”

Related Articles:

About the Author

Mathew Schwartz is a Contributing Editor for Enterprise Systems and is its Security Strategies column, as well as being a long-time contributor to the company's print publications. Mr. Schwartz is also a security and technology freelance writer.