10 replies to this topic

[AplusWebMaster]

FYI...

- http://www.websense....php?AlertID=713
December 06, 2006
"...As with previous Office exploits, we expect email to be used as the initial infection vector, with lures to run attached documents. The exploits *usually* then connect to remote sites (that is, they are Trojan Downloaders) to download additional payloads. The Websense Threatwatcher process mines the malicious code that is being downloaded through Trojan Downloaders such as Office zero-day exploits. Although attacks in the past have been limited in target numbers, business sectors, and regions, there is a potential for more widespread attacks with this Word zero-day."

> http://forums.tomcoy...a...st&p=336467

Edited by AplusWebMaster, 26 January 2007 - 08:49 PM.

[AplusWebMaster]

FYI...

Another new Word 0-day...
- http://isc.sans.org/...hp?storyid=1925
Last Updated: 2006-12-10 22:03:23 UTC
"...McAfee* has released a dat today for protection against a buffer overflow attack in MS Word. The announcement says "Note: This vulnerability was first found through one of the samples that McAfee analyzed, and this vulnerability differs from the "Microsoft Word 0-Day Vulnerability I" that was published on December 5, 2006". Other vendors are expected to follow suit..."

* http://vil.nai.com/v.../v_vul27249.htm

- http://vil.nai.com/v...nt/v_127787.htm

- http://vil.nai.com/v...nt/v_141056.htm

- http://vil.nai.com/v...nt/v_141057.htm

> http://blogs.technet...d-zero-day.aspx
December 10, 2006

- http://secunia.com/advisories/23205/
Release Date: 2006-12-11
Critical: Extremely critical
Impact: System access
Where: From remote
Solution Status: Unpatched...
...NOTE: The vulnerability is already being actively exploited.
Solution: Do not open untrusted Office documents...
- http://secunia.com/advisories/23232/
Release Date: 2006-12-06

Edited by AplusWebMaster, 11 December 2006 - 06:42 AM.

[AplusWebMaster]

FYI...

- http://www.kb.cert.org/vuls/id/167928
Date Last Updated: 12/06/2006
"...Solution:
Do not open untrusted Word documents...
Do not rely on file name extension filtering...
Disable automatic opening of Microsoft Office documents*

Office Document Open Confirmation Tool
* http://www.microsoft...;displaylang=en

.

[AplusWebMaster]

FYI...

Third Word hole in ten days
- http://www.heise-sec...o.uk/news/82548
Dec. 14, 2006
"...Word documents, no matter what their source, should only be opened after discussion with the sender or author. Users could protect themselves against infection by the previous holes in Word by activating the Safe Mode*. It remains unclear whether that also helps against the new holes."

* http://support.microsoft.com/kb/827706
"...To use the CTRL key to initiate Office Safe Mode, follow these steps:
1. Click Start, point to All Programs, point to Microsoft Office, and then press CTRL while you click Microsoft Office Word 2003.
Note For Microsoft Word 2002, click Start, point to All Programs, and then press CTRL while you click Microsoft Word.
Important: Continue to press CTRL while Word is starting.
2. You receive the following message:
'Word has detected that you are holding down the CTRL key. Do you want to start Word in safe mode?'
Click Yes..."

[AplusWebMaster]

FYI...

- http://secunia.com/advisories/23950/
Release Date: 2007-01-26
Critical: Extremely critical
Impact: System access
Where: From remote
Solution Status: Unpatched...
...The vulnerability is reported in Microsoft Word 2000. Other versions may also be affected.
Solution: Do not open untrusted Office documents.
Provided and/or discovered by: Discovered as a 0-day.
Other References: Symantec:
* http://www.symantec..../...-99&tabid=1

- http://www.infoworld...ayattack_1.html
January 26, 2007 ~ "...The zero-day vulnerability is the fourth in Microsoft's widely used Word 2000 software that has not yet been patched, the security company said in its Security Response Weblog**. A zero-day vulnerability refers to a security hole for which exploits are already available when it was discovered. This latest one affects most versions of Windows running Word, Symantec's advisory said*..."

** http://www.symantec....000_vulner.html

.

Edited by AplusWebMaster, 26 January 2007 - 08:52 PM.

[AplusWebMaster]

Added MS Advisory and CVE reference:

- http://forums.tomcoy...mp;#entry348170

> http://nvd.nist.gov/...e=CVE-2007-0515


.

[AplusWebMaster]

FYI...

Multiple Organizations Targeted by Zero-Day Exploit
- http://preview.tinyurl.com/2xynf7 (Symantec Security Response Weblog)
January 30, 2007 ~ "We have received some additional Word documents that exploit an unpatched Microsoft Word vulnerability. These documents are detected as Trojan.Mdropper.X*. We believe this is a new vulnerability, making it the fifth currently unpatched Office file format vulnerability... The vulnerability could be a slight variation or may be covered by the existing CVEs and we are awaiting confirmation from Microsoft Security Response Center..."

* http://www.symantec....-013010-5422-99

.

[AplusWebMaster]

FYI...

> http://nvd.nist.gov/...e=CVE-2007-0621
(...to be retired)
- http://www.symantec....-013010-5422-99
Trojan.Mdropper.X
Updated: January 31, 2007
"...(as described in Bugtraq ID 22328*)..."
* http://www.securityf...d/22328/discuss
"...Further analysis and reports have revealed that this issue is a variant of the vulnerability described in BID 21518 (Microsoft Word Unspecified Code Execution Vulnerability), which is referenced by CVE-2006-6456**. This BID is being retired."
** http://nvd.nist.gov/...e=CVE-2006-6456

(Back to only -4-)

.

[AplusWebMaster]

FYI...

Active Exploitation of Unpatched Vulnerability in Microsoft Word
- http://www.us-cert.g...rrent/#mswd5exp
updated February 2, 2007
"US-CERT is aware of active exploitation of an unpatched vulnerability in Microsoft Word. There are reports indicating Microsoft has issued a response that this vulnerability is related to VU#166700*, reported in December 2006. According to Symantec, there are different documents that use this same exploit from multiple organizations. Each document has been specifically crafted for the targeted organization in both language and content. Details are limited at this point...
Until Microsoft issues a security fix, or more information becomes available, US-CERT recommends the following actions to help mitigate the security risks:
> Do not open or save untrusted Word documents or attachments from unsolicited email messages.
> Disable automatic opening of Microsoft Office documents, as specified in the Office Document Open Confirmation Tool** document.
> Do not rely on file name extensions as a way to securely filter against malicious files..."

* http://www.kb.cert.org/vuls/id/166700

** http://preview.tinyurl.com/lzwos

.

[AplusWebMaster]

Now -5- ...

- http://www.avertlabs...rch/blog/?p=199
February 9, 2007 ~ "...McAfee Avert Labs is currently investigating a new Word exploit. Preliminary analysis shows that this is a different issue than those referenced in my last blog:
# CVE-2006-5994
# CVE-2006-6456
# CVE-2006-6561
# CVE-2007-0515
# CVE-2007-0621 (Microsoft states this is a duplicate of CVE-2006-6456)
# CVE-2007-0671 (Office zero-day uncovered by McAfee Avert Labs)
This new exploit may be somehow related to MS06-027* and the DAT files proactively detect this new threat as a variant of Exploit-MS06-027 since June 2006. This threat appears to exploit Word 2000... Like many of the recent Word exploits, this appears to have been used in a very limited and targeted attack.

Update Feb 9, 1:30pm
Microsoft has acknowledged this issue. They state that it is limited to a Denial of Service attack on Word 2000 and that code execution is not possible. Denial of Service is clearly not as critical as other recent issues. Looks like this targeted attack was flawed."

* http://vil.nai.com/v.../v_vul26033.htm

> http://nvd.nist.gov/...e=CVE-2007-0870

.

Edited by AplusWebMaster, 11 February 2007 - 07:43 PM.

[AplusWebMaster]

Now -6- ... or 7? (count is "fuzzy"):

- http://www.kb.cert.org/vuls/id/194944
Last Updated: 03/07/2007
"I. Description
Microsoft Office documents include summary information about the document, such as the line count in the document. Microsoft Windows Explorer can parse summary information in an Office document without having to open the document. A memory corruption vulnerability exists in a library Microsoft Windows Explorer uses to parse document summary information. This vulnerability can be triggered by accessing a specially crafted document, or by accessing the folder containing the document. Exploit code is available for this vulnerability.
II. Impact
The complete impact of this vulnerability is not known. Memory corruption does occur, but it is not clear if this can be leveraged to execute arbitrary code. At a minimum, this vulnerability will cause Microsoft Windows Explorer to crash.
III. Solution
We are currently unaware of a practical solution to this problem..."

> http://www.pcworld.i...p?id=316675692
"...Attackers can exploit the OLE32.DLL vulnerability by crafting a malicious Word document, then duping users into downloading the document or opening it when it arrives via e-mail. Software that's linked to OLE32.DLL, such as the Windows Explorer file navigator, will crash, said Symantec. The flaw affects Windows XP and Windows 2000..."

> http://nvd.nist.gov/...e=CVE-2007-1347

> http://isc.sans.org/...ml?storyid=2396

Edited by AplusWebMaster, 09 March 2007 - 06:48 PM.