Trojans Fire Zero-day Attack At Microsoft Word

A new unpatched bug in Microsoft Word 2000 is actively being exploited by attackers, several security organizations said Tuesday.

Symantec's researchers said that they'd analyzed a sample of the in-the-wild attack and confirmed that it worked against a fully-patched edition of Office 2000 -- Word 2000 is one of the applications bundled with that version of the Office suite -- running on a fully-patched Windows 2000 machine.

"Although we have not been able to exploit other versions of Office with this specific sample, others may be affected by the vulnerability," Symantec said in an alert issued to customers of its DeepSight threat system. The Cupertino, Calif.-based security vendor characterized the exploit as "reliable" and added that it was "mostly transparent to an end-user."

If a Word 2000 user opens the malicious document attached to the attacker's e-mail message, a Trojan horse drops another file onto the computer; that file (actually another Trojan) drops yet another file, this time a backdoor component which leaves the machine open to additional attack or misuse.

The attack doesn't self-replicate, nor is a multiple-vector exploit that like some other recent rivals, leverages any of several vulnerabilities."The exact functionality of the payload is not currently known, but we expect it to include keystroke and mouse-activity logging, and other information-gathering techniques," said Symantec.

Danish vulnerability tracker Secunia rated the bug as "highly critical," its highest warning ranking, and recommended that users not open unexpected or untrusted Office documents.

Similar warnings and advice were issued in May, June, and July as several unpatched flaws in Office applications -- including Word, Excel, and PowerPoint -- were used to launch targeted attacks. In each case, Microsoft released patches the month following news of the zero-day vulnerability.

"Microsoft Office vulnerabilities are a great platform for social engineering- and e-mail based attacks," said Symantec senior engineer Hon Lau on the company's blog. "Enterprises, small businesses, and consumers continue to share and exchange information using Microsoft Office documents. As most of these document types are generally allowed to pass through most firewalls and security solutions, Microsoft Office documents are good vehicle for hiding executable malicious code."

Office 2000 and Word 2000 are currently in what Microsoft calls "Extended Support," which means that although free support has ended, the company has committed to providing security updates. Office 2000 and Word 2000 are to drop off the support list entirely in July 2009.Microsoft's next scheduled patch day is Tuesday, Sept. 12.