BetaONE will rise again!


Reply
  #1  
Old 22nd May 06, 01:00 AM
NewsBot's Avatar
NewsBot NewsBot is offline
Senior Member
 
Join Date: Oct 2004
Posts: 30,940
NewsBot will become famous soon enough
Experts Warn of Critical Word Vulnerability
Security experts are warning of a critical vulnerability affecting users of Microsoft Word XP and Word 2003. To quote the SANS Internet Storm Center report:Quote - Emails were sent to specific individuals within the organization that contained a Microsoft Word attachment. This attachment, when opened, exploited a previously-unknown vulnerability in Microsoft Word (verified against a fully-patched system). The exploit functioned as a dropper, extracting a trojan byte-for-byte from the host file when executed. After extracting and launching the trojan, the exploit then overwrote the original Word document with a clean (not infected) copy from payload in the original infected document. As a result of the exploit, Word crashes, informs the user of a problem, and offers to attempt to re-open the file. If the user agrees, the new clean file is opened without incident. They are working with Microsoft on this.We are still analyzing the trojan dropped by the exploit. What we do know is that it communicates back to localhosts[dot]3322[dot]org via HTTP. It is proxy-aware, and pings this server using HTTP POSTs of 0 bytes (no data actually POSTed) with a periodicity of approximately one minute. It has rootkit-like functionality, hiding binary files associated with the exploit (all files on the system named winguis.dll will not be shown in Explorer, etc.), and invokes itself automatically by including the trojan binary in HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWindows. Note that, as of this morning, no anti-virus signatures detected this file as problematic according to virustotal.com.We have traced nearly this attack to the far east; specifically, China and Taiwan. IP's seen are registered there, domains seen are registered there, and the emails received originated from a server in that region. The attackers appear to be aware that they have been outed, and have been routinely changing the IP address associated with the URL above.Due to the aggravating circumstances (0-day, no AV detection), we wanted to make sure the community is aware that this problem exists as soon as possible.Users should be aware that as of now this vulnerability is only being exploited as a very concentrated and targeted attack. That said, Microsoft is working diligently with anti-virus vendors to update their products in an effort to detect and combat a more widespread use of this exploit. Microsoft also states that they have a patch for this security issue ready and it is currently in testing and scheduled to be released as part of the June security updates on June 13, 2006, or sooner if necessary. View: SANS Internet Storm Center News source: Microsoft Security Response Center BlogRead full story...



News source: Full Story
Reply With Quote
Reply


Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is On
Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Robertson Launches Online Version Of MS Word NewsBot NeoWin News 0 24th Mar 06 12:00 AM
Security Experts Warn of Kama Sutra Worm NewsBot ieXbeta News 0 26th Jan 06 10:30 PM
Critical Winamp Vulnerability NewsBot ieXbeta News 0 25th Nov 04 06:00 PM


All times are GMT +1. The time now is 10:08 AM.


Design by Vjacheslav Trushkin for phpBBStyles.com.
Powered by vBulletin® Version 3.6.5
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.