Word Attack Hails From China

If Microsoft Windows users need another reason not to open e-mail
attachments, hackers are exploiting a zero-day vulnerability in Word
2002 and 2003.

Hackers are using a new and un-patched vulnerability in Word to
create a Trojan posing as an official document from co-workers.

Once opened, Trojan.Mdropper.H installs a backdoor giving malicious hackers control of a Windows system, according to Symantec, one of the security firms warning users.

Microsoft said it will include a patch for the vulnerability June
13, as part of its usual monthly security notice release.

“So far, this is a very limited attack, and most of our antivirus partners are rating this as ‘low,'” Stephen Toulouse, manager of Microsoft’s
Security Response Center program, wrote on the company’s blog.

Noting a user would need to open the Word file for the exploit to
work, the information “isn’t meant to say the issue isn’t serious,”
according to the blog posting.

The software company said it has been working with a “couple
customers thus affected.” However, Microsoft will investigate any
variants it might find.

While Microsoft points to just a couple of customers hit by the
Trojan, that could quickly change, according to security firm Secunia.

“Currently it appears that the vulnerability is only exploiting in
small targeted attacks,” said Thomas Kristensen, Secunia’s CTO. However, it is “certainly possible” to create an
exploit released on a much broader scale, according to Kristensen.

How can users spot the Trojan? Microsoft’s Toulouse says two
common e-mail subject lines are “Notice” and “RE Plan for final
agreement.”

Microsoft is also recommending, along with using caution
when opening e-mail attachments, that Windows users limit admin
privileges.

But the SANS Institute believes Windows users should simply stop opening
untrusted Word documents.

The exploit “almost certainly is from China,” said Johannes
Ullrich, SANS chief researcher.

While some believe the first report
of this exploit being seen in the “wild” was at a Japanese government
department, Ullrich said SANS bases its report on an attack of a U.S.
defense contractor.

This is the first Trojan sent to a government agency that SANS can share with the public, although it’s received other reports, according to the researcher.

The attacks resemble those from a group of Chinese hackers known
as “Titan Rain,” the researcher told internetnews.com.

Zero-day vulnerabilities are not limited to new software, the SANS
research said. “Sadly, even old software like Windows or Office still
contains plenty of bugs to be found.”

SANS, which earlier this month reported that zero-day
attacks are on the rise, noted other shifts in software security, including a move away from usual targets and a decision to seek out security flaws that might be new and therefore less known.

“Hacking is not about getting your 15 minutes of fame anymore, Ken
Durham, a director of rapid response for Dulles, Va.-based IDefense, told
internetnews.com. “Cybercrime is a multi-million dollar global
business.”

Get the Free Newsletter!

Subscribe to our newsletter.

Subscribe to Daily Tech Insider for top news, trends & analysis

News Around the Web