News

Microsoft Word vulnerability gives hackers a backdoor

• By John K. Waters
• May 24, 2006

A newly discovered vulnerability in Microsoft Word XP and Word 2003 allows malicious hackers to mount Trojan-based attacks through e-mail attachments, establishing a backdoor that allows them to control compromised Windows PCs. According to security experts, files containing the Mdropper-H and Backdoor-Ginwui Trojans have begun to circulate on the Internet.

Symantec issued an alert on its home page about this vulnerability. The company is recommending that users exercise extra caution when opening any Word document received by e-mail or any other means. Companies should limit users' privileges and monitor outbound traffic. They should also quarantine all e-mail attachments for 6 to 12 hours, which should give the antivirus vendors time to catch up with new threat, Symantec says.

Microsoft confirmed the vulnerability in a company blog posting by Stephen Toulouse, security program manager with Microsoft's security response center. Users must open the attached Word file for the attack to take place, he said.

"We are hard at work on an update," Toulouse said in his blog. "So far, this is a very limited attack, and most of our antivirus partners are rating this as low, but we’re working to investigate any variants, as well as working on the update to address the vulnerability."

Microsoft reportedly plans to break its patch cycle to fix the Word flaw. Ordinarily the patch wouldn't be issued until the June 13 security update.

Unlike a virus, a Trojan does not make copies of itself or spread via the Internet, but must be directly distributed. Symantec says that the targeted attack can bypass spam filters, and that the company's own antivirus software lacks the ability to detect the malicious Word file. At present, hackers have limited their attacks to selected targets, Symantec says.

"Opening e-mail attachments is always a sticky business fraught with peril," says security expert Dr. Gary McGraw, author of Software Security: Building Security In. "But people have become so accustomed to it, that they do it almost automatically. Too many people blithely open untrusted Word documents all day long. This new Trojaned Word file serves as a reminder to be careful about what you open."

There is little reason to be surprised that a Word document would be a tempting target for a hacker exploit, says attorney and Word-watcher Andrew Updegrove. Updegrove is the creator of Consortiuminfo.org, and an advocate for the OpenDocument Format (ODF). He sees this latest vulnerability as a consequence of what security expert Dan Geer has called "IT monoculture."

"As Geer has pointed out, the greater the market share of a given vendor, the more that vendor's products attract hackers," Updegrove says, "and therefore, the more its customers are at risk. With ODF, in contrast, there are already four main product choices, as well as several others available or in process. Unless a hacker could find a vulnerability at the standardized level, which is quite unlikely, the risk would automatically be dramatically reduced for any individual user, even if the total market share of ODF-compliant products were to become the same size as that enjoyed by Microsoft Office today."

Only one actual attack had been reported at press time. Toulouse noted in a blog entry on Friday (May 19) that Microsoft had "received a report that a customer had been subjected to a very targeted attack using this vulnerability." That attack probably originated in Asia, according to the security mavens at SANS, the security training company that maintains the Internet Storm Center Web site. The attackers may be operating in China or Taiwan, according to SANS CTO Johannes Ullrich.