Alerts
Exploits Circulating for Zero Day Flaw in Microsoft Word
Date:
May 22, 2006
Severity:
High
Systems Affected:
Windows 95
Windows 98
Windows Me
Windows NT
Windows Server 2003
Windows XP
Microsoft Word
Overview:
eEye Digital Security is advising customers to the existence of exploit code leveraging a previously unknown vulnerability in Microsoft Word. This exploit code has been targeting individuals through email messages with a malicious Microsoft Word attachment. The messages appear to come from someone within the individual's own organization, and simply opening the Word file causes the system to be exploited.
Successful exploitation of this flaw would lead to the attacker gaining full rights in the context of the exploited user. As an example, if an exploited system was being run under Administrator privileges, then the attacker would gain Administrator privileges for that machine and be able to execute code, delete or edit files or change configuration settings.
It should be noted that these attacks are currently extremely targeted. Across various organizations only a small handful of systems have been attacked. These emails were at least somewhat hand crafted for the people targeted for attack. Administrative privileges are required for the exploit code to operate properly, although administrative privileges are not required for the security vulnerability itself.
Attack Characteristics
Early forensic investigations show the attacks originating from within China.
To date, there have been two variants found in the wild, termed most popularly,
GinWui.A and GinWui.B.
Two email subject lines have been reported:
"Notice"
"RE Plan for final agreement"
Two email doc attachments have been reported:
"NO.060517.doc.doc"
"PLANNINGREPORT5-16-2006.doc"
Previous versions of this exploit have been reported to be successful on Chinese versions of Microsoft Word. This new variant has been confirmed to work on Microsoft Word 2003 and Word XP English versions.
Prevention:
eEye Digital Security's Research Team has confirmed that eEye's Blink® protects from the potential exploitation of this Microsoft Word zero day vulnerability without requiring invasive firewalling. The result is 100% protection, with zero downtime or impact to operations.
Users interested in protecting their systems with Blink can download an evaluation here:
http://www.eeye.com/html/products/blink/download/index.html
Links:
Microsoft Security Response Center's Filing on GinWUI
US-CERT Technical Cyber Security Alert TA06-139A on GinWUI
US-CERT Vulnerability Note VU#446012 on GinWui
This alert was last updated on May 23, 2006.
May 22, 2006
Severity:
High
Systems Affected:
Windows 95
Windows 98
Windows Me
Windows NT
Windows Server 2003
Windows XP
Microsoft Word
Overview:
eEye Digital Security is advising customers to the existence of exploit code leveraging a previously unknown vulnerability in Microsoft Word. This exploit code has been targeting individuals through email messages with a malicious Microsoft Word attachment. The messages appear to come from someone within the individual's own organization, and simply opening the Word file causes the system to be exploited.
Successful exploitation of this flaw would lead to the attacker gaining full rights in the context of the exploited user. As an example, if an exploited system was being run under Administrator privileges, then the attacker would gain Administrator privileges for that machine and be able to execute code, delete or edit files or change configuration settings.
It should be noted that these attacks are currently extremely targeted. Across various organizations only a small handful of systems have been attacked. These emails were at least somewhat hand crafted for the people targeted for attack. Administrative privileges are required for the exploit code to operate properly, although administrative privileges are not required for the security vulnerability itself.
Attack Characteristics
Early forensic investigations show the attacks originating from within China.
To date, there have been two variants found in the wild, termed most popularly,
GinWui.A and GinWui.B.
Two email subject lines have been reported:
"Notice"
"RE Plan for final agreement"
Two email doc attachments have been reported:
"NO.060517.doc.doc"
"PLANNINGREPORT5-16-2006.doc"
Previous versions of this exploit have been reported to be successful on Chinese versions of Microsoft Word. This new variant has been confirmed to work on Microsoft Word 2003 and Word XP English versions.
Prevention:
eEye Digital Security's Research Team has confirmed that eEye's Blink® protects from the potential exploitation of this Microsoft Word zero day vulnerability without requiring invasive firewalling. The result is 100% protection, with zero downtime or impact to operations.
Users interested in protecting their systems with Blink can download an evaluation here:
http://www.eeye.com/html/products/blink/download/index.html
Links:
Microsoft Security Response Center's Filing on GinWUI
US-CERT Technical Cyber Security Alert TA06-139A on GinWUI
US-CERT Vulnerability Note VU#446012 on GinWui
This alert was last updated on May 23, 2006.
