Microsoft Working On Word Patch - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

04:09 PM

Microsoft Working On Word Patch

The Microsoft Word bug first surfaced last week, when numerous security companies said an active exploit was using an unpatched vulnerability in Word 2003 and Word XP to drop a backdoor Trojan onto a limited number of PCs.

Microsoft said it's working on a fix for the zero-day vulnerability in Word that spooked security vendors last week, but likely won’t release a patch until June 13, the next regularly-scheduled monthly patch day.

The Microsoft Word bug first surfaced Friday, when numerous security companies, led by Symantec, said that an active exploit was using an unpatched vulnerability in Word 2003 and Word XP to drop a backdoor Trojan onto a limited number of PCs. Once in place, the Trojan -- which uses rootkit techniques to infiltrate code into difficult-to-detect locations on the drive -- provides the attacker with command shell access to the PC, effectively hijacking the machine.

Friday and Saturday, Microsoft acknowledged the Word bug, said it was working on a fix, and downplayed the vulnerability.

"So far, this is a very limited attack, and most of our antivirus partners are rating this as 'low,' said Stephen Toulouse, program manager for Microsoft Security Response Center (MSRC), wrote on the MSRC blog Saturday.

Friday, Toulouse said that his team was working up a patch, which had already moved into testing, and would release with the June update, "or sooner as warranted."

Microsoft's Windows Live Safety Center has been updated, added Toulouse, to detect and delete the Trojan planted by the exploit. (It does not, however, protect a PC from infection.)

Although virtually every security company and organization put out warnings of the Word flaw, including U.S. CERT, which releases warnings sparingly (only 19 so far in 2006), some seconded the MSRC's stress on the limited nature of the attack.

"The group originating these attacks does so in a very targeted fashion," said the SANS Institute's Internet Storm Center (ISC) in its latest alert. "The document is crafted to target a specific organization, containing specific elements that deal with just that one organization. If you don't work for them, you are very unlikely to ever see this."

But if so few users are at risk, why did the security industry's alarm bells ring so loudly? A pair of analysts offered different opinions.

"Actually, I think it was because it was something different than the usual suspect, Internet Explorer," said Mike Murray, director of research at vulnerability management vendor nCircle. "When a zero-day vulnerability is about something other than IE, it usually gets more attention."

Vincent Weafer, senior director of Symantec's security response group, had a different take. "For large organizations, like enterprises and government, this [kind of attack] is what they worry about. The attack implies knowledge [of the attacked organization] and intent to mine its data."

Unlike run-of-the-mill exploits, most of which gets blocked at the corporate perimeter, a targeted attack like this is, even if rare, the kind of risk that makes IT managers loose sleep. "They're really concerned about the possibility of targeted attacks," said Weafer.

Other details of the attack have surfaced since Friday, including the location of the Web site from which the Trojan is downloaded: China. "And the URL has been used for targeted attacks in the past," said Weafer.

By the Internet Storm Center's analysis, the site has been actively changing the URL's IP address to stay up and running. As of mid-day Monday, however, the site was offline or not available to TechWeb.

"If you're not on their target list, chances are you will not see an exploit till Microsoft releases a patch and the knowledge to exploit it can be derived by the hackers," concluded the ISC.

"Panic and blindly taking actions is probably the worst course of action you can take."

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
The State of Cloud Computing - Fall 2020
The State of Cloud Computing - Fall 2020
Download this report to compare how cloud usage and spending patterns have changed in 2020, and how respondents think they'll evolve over the next two years.
Top 10 Data and Analytics Trends for 2021
Jessica Davis, Senior Editor, Enterprise Apps,  11/13/2020
Where Cloud Spending Might Grow in 2021 and Post-Pandemic
Joao-Pierre S. Ruth, Senior Writer,  11/19/2020
The Ever-Expanding List of C-Level Technology Positions
Cynthia Harvey, Freelance Journalist, InformationWeek,  11/10/2020
Register for InformationWeek Newsletters
Current Issue
Why Chatbots Are So Popular Right Now
In this IT Trend Report, you will learn more about why chatbots are gaining traction within businesses, particularly while a pandemic is impacting the world.
White Papers
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Sponsored Video
Flash Poll