News Stay informed about the latest enterprise technology news and product updates.

Zero-day threat targets Microsoft Word

Update: Symantec says a targeted exploit uses Microsoft Word to open a backdoor in users' systems. It recommends blocking .doc files at the network perimeter. Microsoft is working on a fix.

Targeted exploit code has been discovered in the wild that takes advantage of Microsoft Word to open a backdoor for attackers.

Cupertino, Calif.-based antivirus giant Symantec Corp. this morning informed customers of its DeepSight Threat Management System that it has raised its ThreatCon level from 1 to 2 (on a scale of 4) as a result of the exploit, currently known as Trojan.Mdropper.H.

In its message to customers, Symantec said the zero-day exploit arrives as a Word document attached to an email. Vincent Weafer, senior director at Symantec's Security Response unit, said the document appears to be of Japanese origin and includes text summarizing a recent U.S.-Asian political summit.

Weafer said inside the document's OLE structure is a dropper program called Backdoor.Ginwui. Once a victim opens the document, that program creates a backdoor for attackers to exploit the system using a previously unknown vulnerability.

"The backdoor will point to an IP address in Asia to say it's available," Weafer said. "The dropper and the backdoor are fairly standard, but this is a targeted attack. We're not seeing it as spam."

In fact, Weafer added, Symantec currently knows of only one customer that has been affected by the exploit. Yet he said the antivirus giant chose to raise its ThreatCon level because it is an example of a highly dangerous attack to which enterprises could easily fall victim.

"Even though we're not talking about volume, this kind of targeted attack is something [our customers] care about," Weafer said. "This is the type of attack they worry about. Something that leverages a zero-day vulnerability, is targeted and seeks out specific information."

The SANS Internet Strom Center reports that the unnamed organization that was targeted received a single e-mail that was sent to specific individuals and crafted to look like it originated from the organization's own domain.

The exploit targets Microsoft Word 2003, but it causes Word 2000 to crash apparently without triggering the backdoor exploit.

A Microsoft spokesman confirmed that the software giant is investigating "new public reports of a zero-day attack using a vulnerability in Microsoft Word XP and Microsoft Word 2003."

"Microsoft is completing development of a security update for Microsoft Word that addresses this vulnerability," Microsoft said in a statement. "The security update is now being finalized through testing to ensure quality and application compatibility and is on schedule to be released as part of the June security updates on June 13, 2006, or sooner as warranted."

Weafer said Symantec's research suggests the exploit is merely the most recent in a string of similar attacks. He said a number of other recent targeted efforts have used similar methods to exploit other Microsoft applications such as Excel, Access or Outlook. Plus this new exploit attempts to contact the same IP address in Asia as in previous exploits.

Symantec recommends that organizations block .doc Word email attachments at the network perimeter. Weafer suggested converting documents to safer formats, such as .rtf.

"Furthermore," the vendor said in its email to customers, "extreme caution should be exercised while processing Microsoft Word attachments received as an unexpected email attachment."

This article originally appeared on

Dig Deeper on Microsoft Office and Office 365

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.