zero day word exploit

Discussion in 'OT Technology' started by col_panic, May 23, 2006.

  1. col_panic

    col_panic calm like a bomb Moderator

    Joined:
    Sep 19, 2003
    Messages:
    188,160
    Likes Received:
    0
    Location:
    winter haven, fl
    well shit


    May 22, 2006

    Exploits Circulating for Zero Day Flaw in Microsoft Word

    eEye Digital Security is advising customers to the existence of exploit code leveraging a previously unknown vulnerability in Microsoft Word. This exploit code has been targeting individuals through email messages with a malicious Microsoft Word attachment. The messages appear to come from someone within the individual's own organization, and simply opening the Word file causes the system to be exploited.

    Severity

    High

    Systems Affected

    Windows 2000
    Windows 95
    Windows 98
    Windows Me
    Windows NT
    Windows Server 2003
    Windows XP
    Microsoft Word

    Overview

    Successful exploitation of this flaw would lead to the attacker gaining full rights in the context of the exploited user. As an example, if an exploited system was being run under Administrator privileges, then the attacker would gain Administrator privileges for that machine and be able to execute code, delete or edit files or change configuration settings.

    It should be noted that these attacks are currently extremely targeted. Across various organizations only a small handful of systems have been attacked. These emails were at least somewhat hand-crafted for the people targeted for attack. Administrative privileges are required for the exploit code to operate properly, although administrative privileges are not required for the security vulnerability itself.

    Attack Characteristics

    Early forensic investigations show the attacks originating from within China.

    To date, there have been two variants found in the wild, termed most popularly,
    GinWui.A and GinWui.B.

    Two email subject lines have been reported:
    "Notice"
    "RE Plan for final agreement"

    Two email doc attachments have been reported:
    "NO.060517.doc.doc"
    "PLANNINGREPORT5-16-2006.doc"

    Previous versions of this exploit have been reported to be successful on Chinese versions of Microsoft Word. This new variant has been confirmed to work on Microsoft Word 2000, Word 2002, and Word 2003 English versions. On Microsoft Word XP, the exploit crashes the machine; however, it is trivial to modify the exploit to allow for remote code execution, and we expect this to be a possibility in any future variants.

    Prevention

    eEye Digital Security's Research Team has confirmed that eEye's Blink® protects from the potential exploitation of this Microsoft Word zero day vulnerability without requiring invasive firewalling. The result is 100% protection, with zero downtime or impact to operations.

    Users interested in protecting their systems with Blink can download an evaluation here:
    http://www.eeye.com/html/products/blink/download/index.html

    References

    Microsoft Security Response Center's Pages on GinWUI
    http://blogs.technet.com/msrc/archive/2006/05/19/429353.aspx
    http://blogs.technet.com/msrc/archive/2006/05/20/429612.aspx

    US-CERT Technical Cyber Security Alert TA06-139A on GinWUI
    http://www.us-cert.gov/cas/techalerts/TA06-139A.html

    US-CERT Vulnerability Note VU#446012 on GinWui
    http://www.kb.cert.org/vuls/id/446012

    SANS Page on GinWui Targeted Attack
    http://isc.sans.org/diary.php?storyid=1345
     

Share This Page