Hackers Use New Zero-Day Word Exploit In Targeted Attack
The vulnerability, which is a buffer overflow problem, affects Office 2000 and Office XP, according to Dave Marcus, a security research manager for McAfee Avert Labs. McAfee received a copy of the exploit from one of its antivirus users, says Marcus. It sent it to Microsoft on Feb. 9, and Microsoft confirmed on Wednesday that it is a new zero-day vulnerability.
This makes about half a dozen zero-day vulnerabilities to plague Microsoft Word since the beginning of January, notes Marcus.
Hackers used the then-unknown vulnerability to launch an attack against two employees at the same company earlier this month. "It was used in an extremely targeted attack," says Marcus, who wouldn't name the company, the industry it's in, or the type of work the employees do. "The attack was based on the role of the people being targeted. It was that targeted, that surgical."
Marcus adds that the attack, which wasn't successful, was aimed at stealing both personal and corporate information. "This is the Holy Grail of exploits," he says.
In the advisory that Microsoft posted online Wednesday night, analysts explain that a user has to open a malicious Office file attachment, such as a Word document, in an e-mail. If the file is opened, a Trojan or bot is downloaded onto the victim's computer, leaving it open for remote access, according to Marcus. The infected machine then could be used as a zombie, or part of a botnet, to send out spam or launch denial-of-service attacks.
The vulnerability was discovered recently, and it wasn't fixed in Microsoft's Patch Tuesday release, which included 12 patches and covered 20 vulnerabilities. In its advisory, Microsoft stated that it's working on a patch for the vulnerability.
Marcus says McAfee analysts haven't seen the exploit for this vulnerability circulating in the wild.
"It comes down to the fact that this is, essentially, how the bad guys try to steal data," he says. "They take the application and continually pound it to try to find vulnerabilities, and then they work on exploiting it. It's another zero-day, and we'll have plenty more of them later this year. The bad guys have gotten very effective at analyzing the code, and they keep doing it."