In-Depth

Yet Another Word Zero-Day Exploit Surfaces

A new exploit potentially lets an attacker execute code on a user’s machine

• By Stephen Swoyer
• 01/31/2007

News surfaced last week of still another Word zero-day attack. This brings the number of unpatched Word zero-day attacks to four. Microsoft’s January 9 Patch Tuesday was conspicuously lacking patches for any of then-extant Word exploits, and—with a fourth one in the wild, and with proof-of-concept code possibly circulating—Microsoft Corp.’s next Patch Tuesday can’t come fast enough.

Last week the company confirmed that the exploit targets a new, as-yet-unpatched Word vulnerability in several limited attacks.

“We are currently investigating a report of a posting of proof-of-concept code which could allow an attacker to execute code on a user’s machine in their security context by convincing them to open a specially-crafted Word document,” wrote Alexandra Huft in a post to Microsoft’s Security Research Center (MSRC) blog last week. “We are aware of very limited, targeted attacks attempting to use the vulnerability reported,” she confirmed.

What does Microsoft mean by “very limited, targeted attacks”? In a post to the MSRC blog last December, Microsoft’s Christopher Budd said such attacks are typically “carried out against a very small number of customers”—even as few as one or two—or are “carried out in a very deliberate fashion against a specific organization or organizations.”

According to security researcher Symantec Corp., attackers who successfully exploit the latest Word zero-day bug could gain complete control of any system running Word 2000; an attacker could trigger system crash and denial-of-service (DoS) on Word XP (Office 2002) and Word 2003 systems.

“We’ve seen many threats using vulnerabilities based on Microsoft Office documents over the last year, so it’s no surprise that we have recently observed new samples of a threat that follows the same theme. This threat named Trojan.Mdropper.W is using the new Microsoft Word 2000 Unspecified Code Execution Vulnerability (BID22225) to drop threats onto a compromised computer,” wrote researcher Hon Lau in a post to Symantec’s Security Response Weblog. “When the infected Word document is opened, it uses an exploit to drop some files onto the computer. These files are back door Trojans that enable an attacker to gain remote access to your computer.”

Microsoft released its last round of patches on January 9. Notably absent from that collection were fixes for three exploits known at that time that target unspecified vulnerabilities in all supported versions of Microsoft Word along with several versions of Microsoft Works. Even as far back as early December, Microsoft officials acknowledged they were investigating rumors of Word "zero-day" exploits.

"I wanted everyone to know that we're actively investigating and monitoring all of these issues through our Software Security Incident Response Process and we are working on developing and testing security updates for the three issues, which we'll release as part of our release process once they've reached an appropriate level of quality," wrote Alexandra Huft on Microsoft's Security Response Center Blog in December.