Friday brought us yet another zero-day attack. Word has a previously unannounced hole in it that is being exploited by an email propogating worm that plants a trojan. Word 2003 and XP are definately vulnerable, there seems to be conflicting info on Word 2000. Since there’s no patch, everyone has some ideas about what you might do. Potential mitigation I’ve seen suggested include:

• Switch from MS Word to OpenOffice. (SANS ISC)
• Quarantine all attachments for 6-12 hours. (SANS ISC)
• Don’t let anyone be an admistrator on there box. (SANS ISC and Microsoft)
• Force people to run Word in “Safe Mode” (Microsoft)
• Don’t allow users to store important data on the desktop. (SANS ISC)

If you can do any of these, great. But for those of us who live in the real world, here some things you might try:

• Block Outbound traffic to the site the trojan phones home to: localhosts dot 3322 dot org. SANS says the owner has changed the IP several times, so using your DNS servers to blackhole the name may be the most effective.
• Block Word Attachments through email. People will complain and it only works until exploit changes and starts to zip word doc first.
• Latest AV signatures. Most of the vendors are calling the exploits low, so they are not turning out sigs very fast but it’s better than nothing.
• User education about not opening Word Docs from untrusted sources.
• Use advanced AV features or Host-Based IPS to block the writing of the trojan files to specific directories.
• IDS/IPS signatures to the phone-home site: localhosts dot 3322 dot org.

Link RoundUp:

News.com article
eWeek Article
Microsoft Advisory Bulletin
fSecure: Info on the Exloit, Some Background
SecurityFocus Summary

Updates:

SecuriTeam Has a Registry Hack Work Around
We’ve had (untested) reports from McAfee that the Buffer Overflow Protection in the 8.0i AV client will protect against any exploit to this vulnerability, regardless of DAT version.

Post a Comment...