Zero-day ( 0-day) Microsoft Word exploit

There was some news on this last night at, today F-secure has some details as well on the trojan that’s dropped in this circulating, exploit. It seems as though the initial attack was very targetted against a specific organization. Antivirus packages did not recognize the trojan that the exploit file dropped as of yesterday, although it’s looking like f-secure now has detection and I would suspect other AV vendors.

Essentially, one organization reported in to incidents that they were receiving emails with MS Word attachments. One user noticed that a domain name in the email wasn’t exactly correct…

“Emails were sent to specific individuals within the organization that contained a Microsoft Word attachment. This attachment, when opened, exploited a previously-unknown vulnerability in Microsoft Word (verified against a fully-patched system). The exploit functioned as a dropper, extracting a trojan byte-for-byte from the host file when executed. After extracting and launching the trojan, the exploit then overwrote the original Word document with a “clean” (not infected) copy from payload in the original infected document. As a result of the exploit, Word crashes, informs the user of a problem, and offers to attempt to re-open the file. If the user agrees, the new “clean” file is opened without incident.” They are working with Microsoft on this.

It looks as though it gives a thorough once over of the system settings, patch status, etc when it’s dropped.

I remember not too long ago reading about the market for zero-day exploits. There are, of course, unpublicized flaws in many applications that are also unpatched. It pays to be alert. In this case – suspicion of any email attachment would be one of the first lines of defence.

F-secure has tagged the trojan as Ginwui.A

according to them…

Ginwui is a fully-featured backdoor with rootkit features. This backdoor was distributed inside a document file with a shell-code that dropped the backdoor’s file to a hard drive and activated it.

It creates a registry key…
[HKLMSoftwareMicrosoftWindows NTCurrentVersionWindows]
“AppInit_DLLs” = “%WinSysDir%winguis.dll”

drops CSRSE.EXE into the temporary folder and uses that to drop WINGUIS.DLL into the windows system folder.

After infection it attempts to connect to a site to allow the cracker remote access… the following capabilities seem to exist…

create, read, write, delete and search for files and directories
access and modify the Registry
manipulate services
start and kill processes
take screenshots
enumerate open windows
create its own application window
get information about infected computer
lock, restart or shutdown Windows
create a pipe and read files from it
start a remote command shell
enumerate network resources

also it apparently creates three empty sys files in the drivers folder of Windows/System32

Update –2pm edt 5/19/06–
Sans has pointed out that the word file in question now is detected by Mcafee as Exploit-OleData.gen – there are no real details in McAfee’s database yet though.

Update –3pm edt 5/19/06–
Another update here – looks like McAfee has detail on the dropper which they’ve named BackDoor-CKB!cfaae1e6. Also, Symantec has entries for the both the backdoor ginwui (backdoor.ginwui) and the dropper word document file ( Trojan.Mdropper.H ). They’re all calling this a low threat (level 1 depending on the vendor). I’d like to point out that it’s usually given a low threat when 1) it’s not widespread and 2) it’s something that requires user intervention (in this case opening an attachment.)

Unfortunately those numbers can make it seem as though this is not a serious concern. Obviously there aren’t copies of this “all over”, but be cautious, the first notice was a targeted attack on an organization. It was certainly a high risk piece of malware.

–update 5:15 EDT 5/19/06–

The Seuciryt Fix has coverage of the Zero-day Word Exploit now. Also, Microsoft has a mention of it ont heir security Blog. It sounds as though using the Word viewer will not get you into trouble in this instance, the flaw seems to affect Word XP and Word 2003. There is work underway on an Office update.

Of course, it does require the opening of an attachment. As always be suspicious of unexpected attachments, some security policies would block attachments period. Sans is recommending a number of ways to deal with the zero-day including the possible substitution of OpenOffice until there’s a patch. (Not their only suggestion obviously.) Limiting user priviliges is a HIGHLY recommended way to protect against this sort of thing as is education about verifying that attachments are from who they say they are. If it’s unexpected – call(? did you send me…..?)

Secunia has given the vulnerability a high rating (extremely critical).

Further, Brian at the Security Fix notes that targetted attacks like the way this started are becoming INCREASINGLY common. One of the “advantages” for a hacker about a targeted attack is that it could possibly be “under the radar” of large antivirus firms. Therefore it’s more effective – use a previously unknown exploit and make judicious use of it. (As opposed to – broadcast a mass mail to half the known world using an unkown exploit and it gets fixed tomorrow/next week/etc. Even when this vulnerability is fixed, it pays to be suspicious and to doublecheck on the source of unexpected attachments.

And for expecting the fix on this, you might want to make sure you’re setup to use Microsoft update as opposed to Windows Update – Microsoft update will carry office product fixes as well as core OS fixes. In this case, If you use Windows update, you will likely not receive this fix when it comes out. The Microsoft patch for this zero-day (0-day) exploit in Word is not expected until June 13th.

– update 5/25/06–

Sorry, updates have been a bit slow on this…

The current bulletins disregard Word 2000 and suggest that ONLY Word 2003 and Word 2002(XP) are vulnerable. I saw a report that Microsoft may release early “if warranted”…. ok… outside of that one of the official recomendations seems to be to run word in safe mode…. This involves, disabling Word as Outlooks message editor (In Outlook – Tools, Options, Mail Format – clear the 2 boxes for using Word to edit messages and read rich text messages.) Next, to run word in safe mode, /safe needs to be put at the end of the command to run word. SO, for instance if you have a desktop icon, it can be turned into a “safe mode” icon by rightclicking and going to properties, finding winword.exe and adding /safe after it so that it appears like this…. c:program files…winword.exe /safe

OR you can start Word from the Start… Run menu by just typing “winword /safe” (without the quotes).

There are other limitations to safe mode of course, so the usefullness of this for you may vary. It would prevent the exploit from working though if a suspect file were opened with a “safe mode” copy of Word. (Clicking on the attachment icon though would likely open “normal mode” word. So, this isn’t the best workaround for ALL without making winword.exe /safe the default handler for all .doc files (I’m almost certain that could be done with a registry edit.)

Related Posts

Blog Traffic Exchange Related Posts
  • New office suite release Desktop Linux reported Friday that Thinkfree office has promoted their $49.95 office suite at LinuxWorld (last week.) This is Thinkfree Office 3. It's available for Windows, Mac and Linux. Supports Microsoft office file formats, has a Microsoft-Office-like interface and "critical feature compatibility". Thinkfree Office features a Word Processor, Spreadsheet and......
  • More WMF exploit testing on Windows 98 I've spent some more effort on trying to infect Windows 98 SE in a virtual machine with some of the exploit samples I can find. The first attempt was at a website with the .wmf download. No luck infecting the system there. Then, I've loaded up the image and visited......
  • WMF exploit situation summary... Since there's been quite a bit of flux the last couple of days I thought I'd try to "reset" the situation and give a general overview of where we stand now with regards to the recent WMF zero-day exploit. 1st there is a vulnerability in the way Windows renders WMF......
Blog Traffic Exchange Related Websites
  • A List of Useful Microsoft Office Cheats & Shortcuts Learning how to use Microsoft Office is fun, especially if you become familiar with the shortcuts of its programs. Here is a comprehensive list of Microsoft Office shortcuts that you may use as a cheat sheet for your projects. Enjoy learning! Microsoft Excel The following functions apply to version 97/98/2000......
  • Microsoft to Improve User Access Control in Windows 7 I was just reading a Slashdot article about Microsoft improving User Access Control (UAC) in Windows 7. In the cited PC Pro article, Microsoft engineer Ben Fathi says: We've heard loud and clear that you are frustrated. You find the prompts too frequent, annoying, and confusing. We still want to......
  • Tech Support - Funny Video Series While surfing through Youtube, I stumbled across this fun-filled tech support video series. All of the videos are sure to give you good amount of chuckle. I liked all of them, but first one is my favorite. Surely a stress buster after a bad day in office :) Enjoy! Tech......    Send article as PDF   

Similar Posts

See what happened this day in history from either BBC Wikipedia
Amazon Logo

One Response to “Zero-day ( 0-day) Microsoft Word exploit”

  1. Microsoft June Patch Cycle heads up-- Avery J. Parker - Web site hosting and computer service Says:

    [...] It’s about that time again folks…. Monthly Microsoft patch cycle – June patches will be released on the 13th (next Tuesday) and it looks like a big batch. There should be 12 patches this time and at least one of the Windows updates is Critical and at least one of the Office updates is critical. It’s widely expected that an update will be released for the Word vulnerability that’s been talked about previously here. Also, there will be a change in the ActiveX behavior in Internet Explorer. That change had been scheduled to come out a few months back, but was postponed. [...]

Switch to our mobile site