Would-be intruders already have attempted to compromise PCs at a Japanese government entity by exploiting the flaw, Vincent Weafer, the senior director at Symantec Security Response, said in an interview. In response, Symantec has raised its ThreatCon to Level 2, which means an outbreak is expected.
"What we're seeing is a continuation of the targeted threat using zero-day vulnerabilities," Weafer said. Zero-day flaws are ones for which no patch exists. "We got it from a single large customer inside Japan. We have not seen anyone else get it."
Microsoft is readying a security update for Word that repairs this vulnerability, a company representative said in an emailed statement. The fix is scheduled to be released as part of the 13 June security updates, or sooner, if warranted, the representative said.
The malicious software arrives as a Microsoft Word file attachment to an email. When the document is opened by the user the vulnerability is triggered. In the Japanese case the Word document actually displayed some text related to a treaty with China, but while the text was displayed a backdoor was installed on the system, Weafer said. Backdoor software allows intruders to enter computers surreptitiously.
"The backdoor in turn pings an IP address located in Asia. It just pings to say it is available, but then, of course, you have a backdoor on your system," he said.
The vulnerability was confirmed in Word 2003, Symantec said. The malicious file caused Word 2000 to crash, but did not run the malicious payload, it added.
Exploitation of the security hole so far is only known as part of a single, targeted attack, Symantec said. "However, with the disclosure of this previously unknown vulnerability, new attackers may begin to exploit it in a widespread manner," the security company said in an advisory to customers.
The targeted attack can bypass spam filters, and Symantec's antivirus software doesn't yet detect the particular Word file as malicious, Weafer said. "We are looking at the vulnerability itself, in terms of generic blocking," he said, adding that the security software does detect the backdoor and the installer of the backdoor.
Microsoft and Symantec urged caution in the opening of Word documents received as an unexpected email attachment.
Talkback
Why do we have to wait till the 14th to get a fix? Way to drag your feet MS.
OH NO! This is terrible, and only a day after a M$ exec
proclaimed that open source was un reliable and not
dependable. Thank heaven we only have to wait until June 14th for a patch, and thank heaven M$ software
is SO reliable and dependable. Whatever would we do without M$?
The real news is that this security hole is targeted. Meaning that so far it's used to target specific organizations (since march at least if you must know). What that does mean? Well, the future holds customized attacks. Meaning making use of exploits to target specific targets. The benefit of all that? Well, it means that since it isn't a massive attack those that can make a difference aren't that motivated to do something about it. After all, you alone are just a bleep on the radar screen. Just a single customer so who gives a damn what's important to you. Aren't you glad you made yourself depanded on a self defeating solution or what? Would that include your government systems? It could. Maybe next month news papers will inform you about that. To some extend.
The thing to realize is that currently security fixes are mostly based upon reports from the field asking for an explaination. So the more targeted an attack is the less likely reports will come in and thus inspiring specialists to find ways to cure the problem at hand. Basicaly you're left with the factory default build-in security that comes with the solutions of your choice and the knowledge, expertize, insight, experience, time and resources your own internal professionals have available to them. Suddenly the weakest chain gets a whole new meaning. Being one of many just isn't good enough anymore. Get the idea?
Why does anyone need MS Word or any other super-formatable program?
Those of us who are older used to have only plain text - i.e. typewriters. I still use nothing but plain text, or if I "must" have something fussy-looking I create an HTML page using CSS.
"reliable and dependable" - MS "spokespersons" = stupid and dumb. And redundant.