Mon 22 May 2006
from eEye.com
May 22, 2006
Exploits Circulating for Zero Day Flaw in Microsoft Word
eEye Digital Security is advising customers to the existence of exploit code leveraging a previously unknown vulnerability in Microsoft Word. This exploit code has been targeting individuals through email messages with a malicious Microsoft Word attachment. The messages appear to come from someone within the individual’s own organization, and simply opening the Word file causes the system to be exploited.
Severity
High
Systems Affected
Windows 2000
Windows 95
Windows 98
Windows Me
Windows NT
Windows Server 2003
Windows XP
Microsoft Word
Overview
Successful exploitation of this flaw would lead to the attacker gaining full rights in the context of the exploited user. As an example, if an exploited system was being run under Administrator privileges, then the attacker would gain Administrator privileges for that machine and be able to execute code, delete or edit files or change configuration settings.
It should be noted that these attacks are currently extremely targeted. Across various organizations only a small handful of systems have been attacked. These emails were at least somewhat hand-crafted for the people targeted for attack. Administrative privileges are required for the exploit code to operate properly, although administrative privileges are not required for the security vulnerability itself.
Attack Characteristics
Early forensic investigations show the attacks originating from within China.
To date, there have been two variants found in the wild, termed most popularly,
GinWui.A and GinWui.B.
Two email subject lines have been reported:
“Notice”
“RE Plan for final agreement”
Two email doc attachments have been reported:
“NO.060517.doc.doc”
“PLANNINGREPORT5-16-2006.doc”
Previous versions of this exploit have been reported to be successful on Chinese versions of Microsoft Word. This new variant has been confirmed to work on Microsoft Word 2000, Word 2002, and Word 2003 English versions. On Microsoft Word XP, the exploit crashes the machine; however, it is trivial to modify the exploit to allow for remote code execution, and we expect this to be a possibility in any future variants.
Prevention
eEye Digital Security’s Research Team has confirmed that eEye’s Blink® protects from the potential exploitation of this Microsoft Word zero day vulnerability without requiring invasive firewalling. The result is 100% protection, with zero downtime or impact to operations.
Users interested in protecting their systems with Blink can download an evaluation here:
http://www.eeye.com/html/products/blink/download/index.html
References
Microsoft Security Response Center’s Pages on GinWUI
http://blogs.technet.com/msrc/archive/2006/05/19/429353.aspx
http://blogs.technet.com/msrc/archive/2006/05/20/429612.aspx
US-CERT Technical Cyber Security Alert TA06-139A on GinWUI
http://www.us-cert.gov/cas/techalerts/TA06-139A.html
US-CERT Vulnerability Note VU#446012 on GinWui
http://www.kb.cert.org/vuls/id/446012
SANS Page on GinWui Targeted Attack
http://isc.sans.org/diary.php?storyid=1345
Leave a Reply
You must be logged in to post a comment.