Microsoft Word Vulnerability

Back on May 19th, a vulnerability was discovered in Microsoft Word that allowed a specially crafted Word document to arbitrarily install malware. This vulnerability is a Zero-Day Flaw, meaning there are yet to be any patches or fixes to stop it. To make matters worse, this particular vulnerability was released to the public, as well as, Microsoft, so anyone who whishes to exploit the Word vulnerability will surely try.

Thus far, the attacks have used malware to install backdoors that the mothership can use for various reasons. As a matter of fact, once the backdoor is installed on a PC, the PC would then ping the head server to inform it of the successful system breach.

In order for someone to get infected, one would need to open a specially crafted Word document designed to take advantage of the Word vulnerability. These documents can either be downloaded from a Web site or sent to you in an e-mail. Either way, the outcome is the same.

Microsoft has stated that the vulnerability will be patched on June 13, 2006 with the scheduled monthly update, so you may want to mark that down and make sure your PC updates on that day. Also, this vulnerability only applies to the 2002 and 2003 versions of Word. It will crash Word 2000, but otherwise leave it unharmed. Microsoft has come out with some work around and good practices that you may want to consider until the patch is available:

1. Users whose accounts are configured to use restricted rights on the system could be less impacted than users who operate with administrative user rights.
2. When running Office XP or Office 2003, the vulnerability can not be exploited automatically through e-mail. For an attack to be successful, a user must open an attachment that is sent in an e-mail message.
3. In Office XP and Office 2003, this vulnerability can not be exploited automatically through a Web based attack scenario. An attacker would have to host a Web site that contains an Office file that is used to attempt to exploit this vulnerability. An attacker would have no way to force users to visit a malicious Web site. Instead, an attacker would have to persuade them to visit the Web site, typically by getting them to click a link that takes them to the attacker’s site.
4. Use Word Viewer 2003 to open and view files. Word Viewer 2003 does not contain the vulnerable code and is not susceptible to this attack. It can be downloaded for free here.

Users can follow these steps to disable the Outlook feature to use Word as a mail editor:

1. Restart the machine.
2. Open Outlook.
3. Click Tools, click Options and then click the Mail Format tab.
4. Clear the “Use Microsoft Word to edit e-mail messages” check box.
5. Clear the “Use Microsoft Word to read Rich Text e-mail messages” box.
6. Exit Outlook.
7. Restart the machine.
8. For more information on turning Word on or off as your e-mail editor, see the following Web site.

Use Word in Safe Mode for Home Users:

Using Word in Safe Mode helps protect the affected system from attempts to exploit this vulnerability. All versions of Word have an application recovery feature that allows running Word in Safe Mode. Safe Mode disables the functionality and prevents vulnerable code from being exploited.

1. Word will display SAFE MODE in the title if it is operating in Safe Mode.
2. Right click on your Desktop
3. Select New/Shortcut.
4. Select Browse.
5. Locate winword.exe.
6. Append “ /safe” (without quotes) to the end of the file location, after the quotation mark.
7. Click Next. Name your shortcut as “Word Safe Mode.”
8. Click Finish.

To open a Word document, follow the steps listed below:

1. Save your Word document to a disk or onto your desktop.
2. Start Word using your “Word Safe Mode” Shortcut.
3. Click File, click Open, then browse to the document you wish to open.

Keep in mind that there are going to be some changes in the way Word behaves while in Safe Mode, but it’s only for a short while. Until this gets patched, here’s exactly what you can expect in Safe Mode.

Stay safe out there.

~Chad Stelnicki