Security researchers have discovered a zero-day vulnerability in Microsoft Word, which is already being actively exploited by hackers in China and Taiwan. Microsoft’s Security Response Center says it is working with antivirus vendors to prevent attacks and plans to release a security patch on June 13.
The exploit is spread as a Word document attached to an e-mail. Users who open the attachment with Word XP and Word 2003 are then infected with a trojan that contains rootkit-like features in order to hide itself from antivirus scanners.
The trojan communicates back to a server, but it’s not yet clear what data is transferred. “When the exploit is launched, early on in the process, it drops a bot, possibly Rbot or some variant,” said SANS Internet Storm Center researcher Chris Carboni in a diary entry.
“Once the bot is in place, it begins an extensive recon of the system; installed patches, installed AV, contents of My Documents, startup file contents, IE config, etc.”
No antivirus application currently detects the exploit, according to SANS. Microsoft is hoping to remedy this problem and says it is working closely with security vendors. The Redmond company plans to update its own Windows Live Safety Center with definitions that detect the new attack.
“The Office team is hard at work on an update that addresses the vulnerability. It’s in testing right now to make sure it’s of the right quality for release,” said Microsoft security researcher Stephen Toulouse. “Right now we’re on schedule to be released as part of the June security updates on June 13, 2006, or sooner as warranted.”
F-Secure has dubbed the trojan “Ginwui.A” and says it allows a hacker to: create, read, write, delete and search for files and directories; access and modify the Registry; manipulate services; start and kill processes; and more.
Symantec, meanwhile, has raised its ThretCon Level to 2 following news of the exploit. “The DeepSight Threat Analyst team advises administrators to block Microsoft Word document email attachments at the network perimeter,” the company said. “Furthermore, use extreme caution while processing Microsoft Word attachments received via unexpected email.”