AuthorMessage
Ashura
Unstopable
Posts: 370

Quote:
Triple threat targets Word users
story by BBC, 20 December 2006
Users of Microsoft Word are being urged to be careful as malicious hackers target the word processing software.
Three unpatched bugs in Word have been uncovered in the last few weeks and two are already being exploited by attackers.
The loopholes being exploited allow attackers to create booby-trapped documents that steal information or take over a PC when they are opened.
Microsoft has yet to release patches to fix the bugs in the Word software.
Attack pattern
Information about the latest problem in Word was posted only a couple of days after Microsoft released its latest security update.
Over the last year malicious hackers have taken to releasing code soon after the regularly-scheduled monthly Microsoft security update to give them the biggest chance to abuse it before a patch appears.
So far the latest Word exploit, which revolves around the way the information describing formatting is handled, is only a proof-of-concept flaw but Symantec and McAfee have confirmed that it will work.
Abusing the flaw could allow attackers to take over a PC or run malicious code on a compromised machine.
The latest flaw joins two others that Microsoft has acknowledged are already being exploited in attacks which it describes as "limited and targeted".
To avoid falling victim it said: "users should always exercise extreme caution when opening unsolicited attachments from both known and unknown sources".
Malicious Word documents exploiting one bug discovered in early December are known to have been spammed out to firms in Asia.
Together the three vulnerabilities are found in Microsoft Word 2000, 2002, Office 2003, Word Viewer 2003, Word 2004 for Mac, and Word v. X for Mac and Works 2004, 2005, and 2006.
Microsoft pointed out that to fall victim to the attacks users must receive and then open a booby-trapped Word document.
On its security blog Microsoft said it was actively investigating the three problems and would release patches when work was complete.

here is our advise:
[list:50f7c5e4a0]
Do not open untrusted Word documents or attachments from unsolicited email messages.
Disable automatic opening of Microsoft Office documents.
Do not rely on file name extensions as a way to securely filter against malicious files.
Install anti-virus software and keep its virus signature files up-to-date.
Save and scan any attachments before opening them.
Limit user privileges to NO administrator rights.[/list:u:50f7c5e4a0]
Until a security fix from Microsoft becomes available, US-CERT recommends that users follow the recommendations in Microsoft Security Advisory 929433 to help mitigate the security risks for all three Word vulnerabilities.
Code:
2006-12-12   Microsoft Word Document Code Execution Proof of Concept
Rated as : Critical
=====
The file I have attached is a very basic two stage bug.  stage 1 (the
first mod) forces the code down a wrong path.  the second mod by
itsself is harmless, however when used with the first it will be the
first and part of the second overwrite.
I have use 41414141 as a marker to make it easier for you to see.
I have made it crash the wordviewer again to make it more obvious
Weight,
location: 00000274
value   : 00000022 - just so it crashes, values 00000001 -> 00000006
are probably the most useful for trying to overwrite a pointer. notice
that neighbouring areas can be weighted the same.
marker,
location: 000027e4
value   : 41414141
the weight destination address == ((weight * 4[this is EDI]) + 4 [ECX*4])
+ source memory offest[ESI].
[also the meta data is microsofts, not mine]
======
bug hugs,
disco.
poc: http://www.milw0rm.com/sploits/12122006-djtest.doc

more bout it find at link