Microsoft Word Zero-Day Under Investigation
On December 5, 2006, Microsoft announcedthey were investigating reports of the exploitation of a zero-dayvulnerability in Microsoft Word (described in Microsoft Security Advisory 929433).There is very little information available regarding the technicaldetails of this new vulnerability. Symantec Security Response ismonitoring the situation and will respond appropriately once furtherinformation is known.
At this time, Security Response has seen various malware binarieswhich may be related to the limited reports noted by Microsoft. Thesefiles are detected as "Downloader" by LiveUpdate virus definitions,version 12/6/2006 rev. 16. At least one known downloaded file isdetected as Backdoor.HackDefender, using Rapid Release virusdefinitions, version 12/6/2006 rev. 25.
The standard best practices apply in this situation and as such,caution should be exercised when dealing with unsolicited attachmentsfrom unknown, and even known, sources.
The aforementioned "Downloader" detections have been renamed toDownloader.Realog and Downloader.Sniper starting from Rapid Releasevirus definitions, version 12/6/2006 rev. 53.
A heuristic bloodhound detection has been added for this vulnerability,starting with Rapid Release virus definitions version 2006/12/12 rev.41. Details can be found at Bloodhound.Exploit.106