[Sunnet Alert] Advisory #133 - Microsoft Office, News

Security and IT News Alerts Alertmailinglist at skiifwrald.com
Sat May 20 20:48:12 EST 2006

Sûnnet Beskerming Alert List Advisory #133

You are receiving this message because you have subscribed to our  
Information Security Alert Mailing List, or have been selected for a  
specific one-off copy.  If you believe that you are receiving this  
message in error, please contact info at beskerming.com to resolve the  

1.1    Microsoft Office
          - Remote Hacker Automatic Control
       - Remote or Local - Can it be achieved through a network or  
does it require physical access?
       - Hacker - The bad guy
       - Manual or Automatic  - Does the vulnerability need to be  
manually performed, or can it be automated?
       - Control, Denial of Service or Data Theft - Will the hacker  
get control of your system / website, will they prevent you from  
using it, or will they steal data.
2.    NEWS
2.1    A Flood of Bugs


1.1    Microsoft Office - Remote Hacker Automatic Control

       -- Products Affected --
           At least Office XP, 2003.  Rumoured to affect all versions  
back to Office 97.

       -- Technical Description --
           A buffer overflow of unknown origin has been observed to  
affect Microsoft Word (and possibly other components of Office).   
Successful exploit requires the victim to manually open the infected  
file initially.  The exploit is being used as an infection vector for  
other, known, malware.  Early reports suggest that the exploit can  
only execute code in the context of the user.  Very light technical  
details make it difficult to ascertain the mechanism of  
vulnerability, but the report that it crashes Word suggests that it  
is a memory exploitation vulnerability.  It is suspected that the  
vulnerability being exploited is related to a number being offered  
for sale late last year (Advisory #70, 77).  Although a privately  
reported OLE issue is known to have been reported to Microsoft in  
February (by Sûnnet Beskerming), the reported behaviour of the bug  
makes it appear to have been reverse-engineered from the MS06-012 patch.

       -- Description --
           While investigating reports of a strange attack against a  
company, the Internet Storm Centre discovered that an unknown exploit  
vector in Microsoft Word was being used to spread malicious  
software.  Although the exact mechanism of the vulnerability is not  
understood, it does allow for a remote attacker to run code of their  
choice on a victim's system, just by having the victim open an  
infected file.

       -- Recommended Action --
           Apply caution to Office files of untrusted origin, and  
consider the use of alternate systems until Microsoft is able to  
release a patch (claimed by one source to be June).

       -- Source --
           Initially identified by the ISC (isc.sans.org)

       -- Threat Matrix --
                       U         O
           Home        9         9    (Critical)
           Business    9         9    (Critical)

Threat Matrix:
       U - User
       O - Operator
       Harmless - 0 ----- 10 - Highly Critical

2.    NEWS

2.1    A Flood of Bugs

With the above reported Office vulnerability, and increasing reports  
of Windows 2003 web server attacks, it appears that Microsoft are  
facing a couple of worrying weeks until their June patch cycle.  For  
users of Internet Explorer, the wait continues as they await  
Microsoft to release a patch for several critical known  
vulnerabilities in the browser that were not patched in May.  In what  
is reported to be the largest web defacement attack ever, a Turkish  
hacker managed to deface more than 20,000 sites in the one attempt,  
and thousands more which were not recorded in time.  Unfortunately  
for users and administrators of IIS webservers, the attacks that  
result in the greatest total number of sites compromised seem to be  
against servers that run Windows 2000/2003 and IIS 6.  This has taken  
some of the shine away from the gains that Microsoft's server  
recently made against the open-source Apache server, and has led some  
to speculate of undocumented vulnerabilities in IIS 6 that are being  
actively exploited by the website defacers (possible).



Sûnnet Beskerming Team
info at beskerming.com
Sûnnet Beskerming Pty. Ltd.
Adelaide, Australia
Tel: 0410 707 444

** Sûnnet Beskerming Pty. Ltd. **

Established in mid 2004, Sûnnet Beskerming Pty. Ltd. is the sister  
company to Jongsma & Jongsma Pty. Ltd., and was formed to develop and  
commercialise the research coming out of Jongsma & Jongsma Pty. Ltd..  
Sûnnet Beskerming Pty. Ltd. is an Information Security specialist  
and, in conjunction with the tools developed by Jongsma & Jongsma  
Pty. Ltd., provides total security solutions and services, from the  
perimeter to internal data stores, including web application security  
and security testing and analysis.

More information about the Alertmailinglist mailing list