eEye Digital Security
  • Login to the eEye Business Client Portal
  • Shop for eEye Products
  • Read the eEye Blog
  • Subscribe to eEye RSS Feeds
  • Follow eEye on Twitter
  • Follow eEye of Facebook
Resources

Exploits Circulating for Zero Day Flaw in Microsoft Word

Date:
5/22/2006 12:00:00 AM

Severity:
High

Affected Software:
Windows 95
Windows 98
Windows Me
Windows NT
Windows Server 2003
Windows XP
Microsoft Word

Overview:
eEye Digital Security is advising customers to the existence of exploit code leveraging a previously unknown vulnerability in Microsoft Word. This exploit code has been targeting individuals through email messages with a malicious Microsoft Word attachment. The messages appear to come from someone within the individual's own organization, and simply opening the Word file causes the system to be exploited.

Successful exploitation of this flaw would lead to the attacker gaining full rights in the context of the exploited user. As an example, if an exploited system was being run under Administrator privileges, then the attacker would gain Administrator privileges for that machine and be able to execute code, delete or edit files or change configuration settings.

It should be noted that these attacks are currently extremely targeted. Across various organizations only a small handful of systems have been attacked. These emails were at least somewhat hand crafted for the people targeted for attack. Administrative privileges are required for the exploit code to operate properly, although administrative privileges are not required for the security vulnerability itself.

Attack Characteristics

Early forensic investigations show the attacks originating from within China.

To date, there have been two variants found in the wild, termed most popularly,
GinWui.A and GinWui.B.

Two email subject lines have been reported:
"Notice"
"RE Plan for final agreement"

Two email doc attachments have been reported:
"NO.060517.doc.doc"
"PLANNINGREPORT5-16-2006.doc"

Previous versions of this exploit have been reported to be successful on Chinese versions of Microsoft Word. This new variant has been confirmed to work on Microsoft Word 2003 and Word XP English versions.

Technical Analysis:

Detection:

Prevention:
eEye Digital Security's Research Team has confirmed that eEye's Blink® protects from the potential exploitation of this Microsoft Word zero day vulnerability without requiring invasive firewalling. The result is 100% protection, with zero downtime or impact to operations.

Users interested in protecting their systems with Blink can download an evaluation here:
http://www.eeye.com/html/products/blink/download/index.html

Links:
Microsoft Security Response Center's Filing on GinWUI
US-CERT Technical Cyber Security Alert TA06-139A on GinWUI
US-CERT Vulnerability Note VU#446012 on GinWui

Copyright ©1998-2010 eEye Digital Security
Permission is hereby granted for the redistribution of this alert electronically. It is not to be edited in any way without express consent of eEye. If you wish to reprint the whole or any part of this alert in any other medium excluding electronic medium, please email alert@eEye.com for permission.

Disclaimer
The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are no warranties, implied or express, with regard to this information. In no event shall the author be liable for any direct or indirect damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk.

Next Steps

Free Trial
Test drive an eEye product
On-demand Demo
See an online product tour
One-on-one Demo
Schedule a personalized tour
Compare Products
See side-by-side features
Buy Now
Go to eEye product store
Contact | Site Map | Privacy | Website Feedback | 1.866.339.3732
© 1998 – 2011 eEye Digital Security. All rights reserved.