Zero-Day Exploit Targets Word

Apparently the bad guys haven't forgotten Office 2000. A new zero-day exploit was found in the wild that takes advantage of a previously unknown vulnerability in Microsoft Word 2000.

"The unique thing about this is that attackers have hammered on Office 2003 [lately] but are now going back and catching some of low-hanging fruit in 2000 that hasn't been patched," says Oliver Friedrichs, a director of the Symantec Secure Response Team, which first detected the new exploit over the weekend.

The exploit comes in the form of a Trojan, Trojan.MDropper.Q, which Symantec first discovered over the weekend. A user has to open the infected file for the attack to succeed, and so far, Symantec has seen a few cases in the wild, but it's not widespread. Secunia gave the vulnerability its highest ranking of "extremely critical."

"At this point, there is no patch available so if you are running Office 2000, you're vulnerable," says Friedrichs, who notes that Symantec informed Microsoft of the new exploit that takes advantage of these newfound vulnerability in Word 2000.

That means Microsoft may have some Office 2000 patches in its next round of Patch Tuesday security bulletins due in one week, on September 12. Symantec issued an update to its antivirus app that covers the Trojan.

A Microsoft spokesperson says the company is investigating reports of "a possible vulnerability in Microsoft Word" and that the attack involves Win32/Wordjmp and Win32/Mofeir malware, for which it has added signatures in its free Windows Live OneCare scanner.

Microsoft may issue a security advisory or provide a secure update, "depending on customer needs," the spokesperson says.

Symantec's Friedrichs, meanwhile, says if a user opens the infected file, the Trojan is installed on his system and then drops backdoor.ferno. "That provides access to the system from an attacker and listens for commands" the user sends, he says.

This zero-day attack is more of a targeted one, although it could be used in a botnet or other more widespread worm attack. "The goal is to try to infect a small number of individuals and gain access to their computers," he says. "But the risk is it will attract other attackers who will start leveraging it."

That may already be the case: Sophos found W32/Mofei-p, a spyware worm that could be exploiting the same vulnerability, says Ron O'Brien, senior security analyst at Sophos. "We've been providing protection from it for ten hours now," he says, adding that Sophos' alert did not reference Word 2000 specifically.

Aside from taking control of a machine, the worm can steal data and record keystrokes, he says. "Once it's installed, it waits for commands to start."

McAfee also issued protection from the worm, which it calls W32/Mofei.worm.dr.

— Kelly Jackson Higgins, Senior Editor, Dark Reading