MS Word Attacks Likely To Continue

Last week, several security vendors and research firms discovered targeted attacks that use a previously unknown vulnerability in Word. The exploits arrive as an e-mail with an infected Word attachment that drops a backdoor on the PC, enabling a remote user to gain access to the machine for collecting data or launching more attacks.

The zero-day attacks using Word so far have been limited to large corporations and government agencies and aren't widespread, according to Johannes Ullrich, chief research officer for the SANS Internet Storm Center. But the Word vulnerability is still "highly critical" because it's difficult for organizations to block all Word documents in e-mail, he added.

To address the threats until Microsoft issues a patch, the SANS Internet Storm Center recommends that organizations use an e-mail system that quarantines attachments for at least six to 12 hours to allow antivirus signatures to catch up. It also suggests setting limits on user administration rights, using proxy servers to control sites accessible to internal users, and employing intrusion-detection systems and firewalls to monitor outbound traffic.

"Note that this is not a temporary situation that will blow over soon. Microsoft will release a patch against this problem in June, but even after that there are likely to be other attacks using other exploits," researchers wrote on the SANS Internet Storm Center Web site.

Stephen Toulouse, a security program manager with Microsoft's security response center, said in a blog post over the weekend that although the attack is limited in scope, Microsoft is working to fix the issue.

"Right now we're on schedule [for the update] to be released as part of the June security updates on June 13, 2006, or sooner as warranted," Toulouse said in the blog entry.

However, other security researchers and vendors have deemed the threat more serious. For example, security firm Secunia said the vulnerability is being "actively exploited" and rated it as “extremely critical.” And Symantec last week raised its threat level from one to two out of four, citing the relevance of the attack to large corporations and government agencies.

Vincent Weafer, senior director of Symantec's security response team, said there’s a general trend toward targeted, intelligent zero-day attacks that use data mining as a precursor to phishing attempts.

"This is the type of attack large corporations and government agencies worry about," Weafer said. "You're talking about attackers that have targeted individual companies because they want something of value."