New tricks with old software: New zero-day in MS Office 2000
In recent months there has been a lot ofactivity around the discovery and exploitation of vulnerabilities inthe Microsoft Office 2003 suite of applications. This activity led tothe discovery of a large number of vulnerabilities in Microsoft Word,PowerPoint, and Excel; many of which were incorporated into newTrojans, such as the Trojan.PPDropper and Trojan.MDropper families. Asa result, Microsoft has spent a fair amount time and effort in patchingsecurity vulnerabilities in its Office 2003 suite.
In thepast couple of days, we have seen samples of a Trojan that exploits apreviously unknown vulnerability in Microsoft's Office applications.This time, it is in Microsoft Word 2000 running on Windows 2000. ThisTrojan (detected by Symantec products as Trojan.MDropper.Q)takes advantage of the vulnerability to drop another file onto thetarget computer. Detected as a Trojan, this dropped file in turn dropsanother file, which is actually a new variant of Backdoor.Femo.As with other recent Office vulnerabilities, documents incorporatingthe exploit code must be opened with a vulnerable copy of MicrosoftWord 2000 for it to work. As such, it makes the vulnerabilityunsuitable for the creation of self-replicating network worms.
Microsoft Office vulnerabilities are a great platform for socialengineering and email based attacks. Enterprises, small businesses, andconsumers alike continue to share and exchange information usingMicrosoft Office documents. As most of these document types aregenerally allowed to pass through firewalls and security solutions,Microsoft Office documents are good vehicles for hiding executablemalicious code.
Until a vendor supplied patch is made available and then installed, users should follow safe computing practices and exercise extreme caution when opening unsolicited emails containing Microsoft Office documents.