JAWW (beta)

The ward is a factory for the Combine

0-day vulnerability in Microsoft Word: Do Not Open Untrusted Microsoft Office Documents!

Secunia logo

Microsoft Word Unspecified Code Execution Vulnerability

Secunia Advisory: SA20153
Release Date: 2006-05-19
Critical: Extremely critical
Impact: System access
Where: From remote
Solution Status: Unpatched
Software: Microsoft Office 2003 Professional Edition
Microsoft Office 2003 Small Business Edition
Microsoft Office 2003 Standard Edition
Microsoft Office 2003 Student and Teacher Edition
Microsoft Office XP
Microsoft Word 2002
Microsoft Word 2003

A vulnerability has been reported in Microsoft Word, which can be exploited by malicious people to compromise a user’s system.

The vulnerability is caused due to an unspecified error. This can be exploited to execute arbitrary code.

NOTE: This vulnerability is being actively exploited.

The vulnerability has been reported in Microsoft Word 2002 and Microsoft Word 2003.

Internet Storm Center Infocon Status

“We are still analyzing the trojan dropped by the exploit. What we do know is that it communicates back to localhosts[dot]3322[dot]org via HTTP. It is proxy-aware, and “pings” this server using HTTP POSTs of 0 bytes (no data actually POSTed) with a periodicity of approximately one minute. It has rootkit-like functionality, hiding binary files associated with the exploit (all files on the system named winguis.dll will not be shown in Explorer, etc.), and invokes itself automatically by including the trojan binary in HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows\Run.

Note that, as of this morning, no anti-virus signatures detected this file as problematic according to virustotal.com

6 responses to “0-day vulnerability in Microsoft Word: Do Not Open Untrusted Microsoft Office Documents!

  1. timethief May 23, 2006 at 00:08

    Sheesh! I’m just learning about computers and about blogging and now I find out my Microsoft Word 2003 has a vulnerability to malicious hackers. I can’t understand the jargon you used so how would a newbie know if her computer had contracted a Trojan. Will my router and Norton internet security package be able to cope? Aside from changing to Linux and mounting Open Office, do you have any advice to offer?What makes one’s computer less vulnerable to Trojans (I don’t visit chat rooms, download music, and I don’t visit porno sites)? Every day another worry … sigh … (I just want to blog).

  2. options May 23, 2006 at 00:45

    *sigh* they are attacking by sending an e-mails with infected .DOC attached, timethief, so, if you’ve followed a warning statement I put in this article header (don’t open untrusted docs) you must be clean for this particular vuln.

    you can check your PC online at: http://safety.live.com but, honestly, I don’t trust online scanners (though offline also). you know, I’m a bit sceptical to all that kewl online Web 2.0 stuff ;-)

    Symantec has already an updated virus definition database.

    also, you might want to check out MS Security Response Center (aka Stephen Toulouse PR guy) blog.

    unfortunately, there’s not much an average technical skilled user can do about security — this is an Operating System vendor’s task.

    my only best advise would be: Do NOT Use an ‘Administrator’ Account for regular works like web browsing e-mail reading and such. never.

  3. timethief May 23, 2006 at 18:59

    I have been following the warning statement in your header as a common practice religiously for 2 and 1/2 years. You see 3 years ago when I got my first computer I opened an email attachment and my computer was overtaken by a trojan. Having gone through that hell when I was just learning how to use a computer at all put the “fear” in me. I don’t know if this was related but on Sunday I was amazed to find symantec contacting me through a Norton “alert”. I was instructed to uninstall Norton Internet Security and then re-install it due to a “problem” that had been discovered and a “fix” they had prepared for it. It was a lengthy process but seemed to proceed as expected. Later that day my brother in Vcitoria and my sister in Edmonton said the same thing happened with them.
    I don’t know what you mean by your last statement. I’m the only one using my computer and of course my account is an Administrator’s account – what are you suggesting here please? I don’t get it :

  4. options May 23, 2006 at 22:55


    I’m the only one using my computer and of course my account is an Administrator’s account

    [one more *sigh*] alas, this is a common and typical mistake which eventually make users of MS Windows(R) OS being mislead by its vendor.

    Aaron Margosis: “The #1 reason for running as non-admin is to limit your exposure. When you are an admin, every program you run has unlimited access to your computer. If malicious or other “undesirable” code finds its way to one of those programs, it also gains unlimited access.

    A corporate firewall is only partial protection against the hostility of the Internet: you still browse web sites, receive email, or run one or more instant messaging clients [added 2004.06.25] or internet-connected games. Even if you keep up to date on patches and virus signatures, enable strong security settings, and are extremely careful with attachments, things happen.

    Let’s say you’re using your favorite search engine and click on a link that looks promising, but which turns out to be a malicious site hosting a zero-day exploit of a vulnerability in the browser you happen to be using, resulting in execution of arbitrary code.

    When an exploit runs with admin privileges, its ability to compromise your system is much greater, its ability to do so without detection is much greater, and its ability to attack others on your network is greater than it would be with only User privs. If the exploit happens to be written so that it requires admin privileges (as many do), just running as User stops it dead.

    here’s a couple of articles I managed to find which seems to me like oriented towards a broad auditory, so I guess they should be comprehensible: “‘Least Privilege’ Can Be the Best” and “Users Overlook XP’s Non-Admin Security“.

    and a useful site on this topic (if you change your mind in the result ;-) ‘Non-Admin Wiki’ ( http://nonadmin.editme.com )

  5. timethief May 26, 2006 at 01:44

    Just checking in to let you know I have created new user acounts as was suggested in the beginner friendly articles you shared. It feels good to be on the receiving end of the good work you do. I know my computer is more secure because I visited your blog and found what I needed here. Thumbs up!:D

  6. options May 29, 2006 at 18:05

    hello, timethief!

    thank you for this kind comment.

    I am really glad (and feeling myself a little bit proud) by the fact you are now using a far more safe approach of using your computer.

    there is also one more important point about it: making your computer safer, thus you help other people to stay more secure, because your own computer (being connected to the Network) can not be used anymore as a vehicle for spreading and delivering malicious code to other’s (may be yet) vulnerable nodes of the Net.

    happy hacking,
    /options ;-)

%d bloggers like this: