I’d like to try and clarify the confusionthat has surrounded the publishing and reporting of three MicrosoftWord vulnerabilities in the last few days. The bad news is that thereare actually three different vulnerabilities in the wild. Inchronological order, this is the breakdown of these threevulnerabilities.
BID 21451: Microsoft Word Unspecified Remote Code Execution Vulnerability (CVE-2006-5994).
This vulnerability was first reported by Microsoft on December 6 via their Security Advisory 929433. Symantec Security Response created a heuristic detection (Bloodhound.Exploit.106) for this vulnerability that yielded some interesting stuff, which I wrote about yesterday in a blog entry.
BID 21518: Microsoft Word Unspecified Code Execution Vulnerability (CVE-2006-6456).
Microsoft bloggedabout this vulnerability on Dec 10, to confirm that it was not the sameas Vulnerability#1 but to date they have not released an advisory. Wehave added detection for the malicious code that exploits thisvulnerability as Trojan.Mdropper.U. A heuristic detection is currently being worked on for the vulnerability itself and will be released as soon as possible.
BID 21589: Microsoft Word Code Execution Vulnerability (CVE-2006-6561).
The proof-of-concept document was first published on milw0rm on Dec 12.Unlike the two previous vulnerabilities, this one resides in the wayMicrosoft Word handles data describing the text formatting in adocument (such as which font to use, if the text is bold or in italics,etc.). By modifying certain properties within the data structure usedto contain this information, an attacker can cause code to executewithin the Microsoft Word process. This could allow it to dropmalicious code onto the targeted system, or install a back door.Symantec Security Response has created a heuristic detection for this (Bloodhound.Exploit.108).
While we have not seen wide exploitation of any of thesevulnerabilities, at the time of writing they remain unpatched. Pleasebe careful and exercise caution when dealing with unsolicited Wordfiles from any source.