ðòïåëôù 


  áòèé÷ 


Apache-Talk @lexa.ru 

Inet-Admins @info.east.ru 

Filmscanners @halftone.co.uk 

Security-alerts @yandex-team.ru 

nginx-ru @sysoev.ru 

  óôáôøé 


  ðåòóïîáìøîïå 


  ðòïçòáííù 



ðéûéôå
ðéóøíá














     áòèé÷ :: Security-alerts
Security-Alerts mailing list archive (security-alerts@yandex-team.ru)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[security-alerts] Blog discussion - Microsoft fixes Word 0-day flaw - related to Smart Tags



http://blogs.securiteam.com/index.php/archives/436

Microsoft fixes Word 0-day flaw - related to Smart Tags
Juha-Matti - June 9, 2006 on 8:38 pm | In Microsoft, Commentary, Virus,
Corporate Security |

Microsoft has confirmed it will fix critical 0-day code execution
vulnerability in Word, or in several Office products. According to their
Advance Notification program details released yesterday, MS is planning
to release

    Two Microsoft Security Bulletins affecting Microsoft Office. The
highest Maximum Severity rating for these is Critical. 

Originally the schedule was informed via this MSRC Blog entry.
Major sources say this is Word vulnerability affecting Microsoft Word
2003 and Microsoft Word 2002 (so-called Word XP). But Dave Aitel dropped
a comment three weeks ago:

    ...
    It's always possible the "Word" bug is really a PPT or Excel bug. 

In May, already, Mr. Aitel's Florida based Immunity Inc. company
generated a working PoC saying this flaw is related to Microsoft Office
Smart Tags implementation.

This information was disclosed via their Partner's Web page:
www.immunitysec.com/partners-index.shtml
-> CANVAS Modules and Proof of Concepts

The first entry from May 29th says 'Proof of Concept for the Microsoft
SmartTag bug (still unpatched)'. Interesting document name;
wordmagic_may29.doc.

This PoC code is available only as part of the Immunity Partner program;
it is not available to the public.

At the same time Symantec published a new write-up about .C variant of
Ginwui malware, calling it as Backdoor.Ginwui.C. This Ginwui variant
uses different 'target' domain now. It communicates to kmip.net,
registered to Shenzhen COMEXE Communication Technology Co. Ltd. in
China. .A and .B opened backdoor to 3322.org and scfzf.xicp.[REMOVED].

One more conclusion:
A and B variants of Ginwui used rootkit techniques, variant .C doesn't.
I believe that the write-up is ready already, because it has same author
than variant .B had.
Malformed Word document had new name as dropper file now; Mdropper.I.
Symantec says document arrived has Japanese characters. Earlier names
like PLAN.doc, PLANNINGREPORT5-16-2006.doc and FINAL.doc was in use.
More information about the process is here and here [Advanced].

Maybe it's time to discuss is disabling Smart Tags feature needed in
organizations. MS has their instructions.

I'm not registered Immunity partner and have no connections to the
company.
Several related references included to this posting.
Matthew Murphy's registry fix is available as well.

Update 13th Jun: Microsoft says the following (MS06-027):

    A remote code execution vulnerability exists in Word using a
malformed object pointer.




 




Copyright © Lexa Software, 1996-2009.