Microsoft Working On Word Patch; Don't Panic Say Experts

Microsoft said it's working on a fix for the zero-day vulnerability in Word that spooked security vendors last week, but likely won’t release a patch until June 13, the next regularly-scheduled monthly patch day.

The Microsoft Word bug first surfaced Friday, when numerous security companies, led by Symantec, said that an active exploit was using an unpatched vulnerability in Word 2003 and Word XP to drop a backdoor Trojan onto a limited number of PCs. Once in place, the Trojan -- which uses rootkit techniques to infiltrate code into difficult-to-detect locations on the drive -- provides the attacker with command shell access to the PC, effectively hijacking the machine.

Friday and Saturday, Microsoft acknowledged the Word bug, said it was working on a fix, and downplayed the vulnerability.

"So far, this is a very limited attack, and most of our antivirus partners are rating this as 'low,' said Stephen Toulouse, program manager for Microsoft Security Response Center (MSRC), wrote on the MSRC blog Saturday.

Friday, Toulouse said that his team was working up a patch, which had already moved into testing, and would release with the June update, "or sooner as warranted."

Microsoft's Windows Live Safety Center has been updated, added Toulouse, to detect and delete the Trojan planted by the exploit. (It does not, however, protect a PC from infection.)

Although virtually every security company and organization put out warnings of the Word flaw, including U.S. CERT, which releases warnings sparingly (only 19 so far in 2006), some seconded the MSRC's stress on the limited nature of the attack.

"The group originating these attacks does so in a very targeted fashion," said the SANS Institute's Internet Storm Center (ISC) in its latest alert. "The document is crafted to target a specific organization, containing specific elements that deal with just that one organization. If you don't work for them, you are very unlikely to ever see this."

But if so few users are at risk, why did the security industry's alarm bells ring so loudly? A pair of analysts offered different opinions.

"Actually, I think it was because it was something different than the usual suspect, Internet Explorer," said Mike Murray, director of research at vulnerability management vendor nCircle. "When a zero-day vulnerability is about something other than IE, it usually gets more attention."

Vincent Weafer, senior director of Symantec's security response group, had a different take. "For large organizations, like enterprises and government, this [kind of attack] is what they worry about. The attack implies knowledge [of the attacked organization] and intent to mine its data."

Unlike run-of-the-mill exploits, most of which gets blocked at the corporate perimeter, a targeted attack like this is, even if rare, the kind of risk that makes IT managers loose sleep. "They're really concerned about the possibility of targeted attacks," said Weafer.

Other details of the attack have surfaced since Friday, including the location of the Web site from which the Trojan is downloaded: China. "And the URL has been used for targeted attacks in the past," said Weafer.

By the Internet Storm Center's analysis, the site has been actively changing the URL's IP address to stay up and running. As of mid-day Monday, however, the site was offline or not available to TechWeb.

"If you're not on their target list, chances are you will not see an exploit till Microsoft releases a patch and the knowledge to exploit it can be derived by the hackers," concluded the ISC.

"Panic and blindly taking actions is probably the worst course of action you can take."