The Word on Those Word Vulnerabilities

[Symantec]

The Word on Those Word Vulnerabilities
<p>I’d like to try and clarify the confusion that has surrounded the publishing and reporting of three Microsoft Word vulnerabilities in the last few days. The bad news is that there are actually three different vulnerabilities in the wild. In chronological order, this is the breakdown of these three vulnerabilities.</p>

<p><strong>Vulnerability #1</strong><br />
<a href="http://www.securityfocus.com/bid/21451">BID 21451</a>: Microsoft Word Unspecified Remote Code Execution Vulnerability (CVE-2006-5994). <br />
This vulnerability was first reported by Microsoft on December 6 via their <a href="http://www.microsoft.com/technet/security/advisory/929433.mspx">Security Advisory 929433</a>. Symantec Security Response created a heuristic detection (<a href="http://www.symantec.com/enterprise/security_response/writeup.jsp?docid=2006-121214-0359-99">Bloodhound.Exploit.106</a>) for this vulnerability that yielded some interesting stuff, which I wrote about yesterday in a <a href="http://www.symantec.com/enterprise/security_response/weblog/2006/12/ms_word_the_bug_the_exploit_th.html">blog entry</a>. </p>

<p><strong>Vulnerability #2</strong><br />
<a href="http://www.securityfocus.com/bid/21518">BID 21518</a>: Microsoft Word Unspecified Code Execution Vulnerability (CVE-2006-6456).<br />
Microsoft <a href="http://blogs.technet.com/msrc/archive/2006/12/10/new-report-of-a-word-zero-day.aspx">blogged</a> about this vulnerability on Dec 10, to confirm that it was not the same as Vulnerability#1 but to date they have not released an advisory. We have added detection for the malicious code that exploits this vulnerability as <a href="http://www.symantec.com/enterprise/security_response/writeup.jsp?docid=2006-121312-2658-99">Trojan.Mdropper.U</a>. A heuristic detection is currently being worked on for the vulnerability itself and will be released as soon as possible.</p>

<p><strong>Vulnerability #3</strong> <br />
<a href="http://www.securityfocus.com/bid/21589">BID 21589</a>: Microsoft Word Code Execution Vulnerability (No CVE has been assigned yet).<br />
The proof-of-concept document was first published on milw0rm on Dec 12. Unlike the two previous vulnerabilities, this one resides in the way Microsoft Word handles data describing the text formatting in a document (such as which font to use, if the text is bold or in italics, etc.). By modifying certain properties within the data structure used to contain this information, an attacker can cause code to execute within the Microsoft Word process. This could allow it to drop malicious code onto the targeted system, or install a back door. Symantec Security Response has created a heuristic detection for this (<a href="http://www.symantec.com/enterprise/security_response/writeup.jsp?docid=2006-121412-1329-99">Bloodhound.Exploit.108</a>).</p>

<p>While we have not seen wide exploitation of any of these vulnerabilities, at the time of writing they remain unpatched. Please be careful and exercise caution when dealing with unsolicited Word files from any source.</p>
http://www.symantec.com/enterprise/security_response/weblog/2006/12/the_word_on_those_word_vulnera.html
http://www.symantec.com/enterprise/security_response/weblog/2006/12/the_word_on_those_word_vulnera.html
Thu, 14 Dec 2006 10:00:00 -0800