RSSDisagreement Over '0-Day' Word Worm
By Scott M. Fulton, III | Published September 6, 2006, 2:30 PM
Last weekend's disclosure of an alleged security vulnerability in Microsoft Word 2000, exploited by a new version of an old worm, is raising questions over what constitutes the severity of an exploit. Is it the degree to which we know about it, or the number of systems out there it could possibly hurt?
A blog post last Sunday on Symantec's Web site characterizing the latest permutation of a months-old exploit as "zero-day" contributed to security firm Secunia raising its advisory rating to "extremely critical."
But Symantec itself, along with other firms, continue to rate the exploit -- the latest in a series of worms that drop backdoor payloads through a hole discovered in Word 2000 -- as "low" or "very low" severity.
Typically, a zero-day exploit is released into the wild and becomes active within 24 hours of reports of the vulnerability which it exploits. In the case of what Symantec classifies as Trojan.Mdropper.Q, reports of this latest permutation were recorded just within the past few days, but according to Symantec's own security advisory, fewer than three sites actually reported its existence.
Meanwhile, reports of earlier permutations have extended as far back as May 2005. The earliest version of the worm classified by Symantec, Trojan.Mdropper.B, exploited a Word 2000 macro-related vulnerability involving the name buffer, triggering an overflow that enabled the dropping of a backdoor package onto infected systems. That buffer overflow was first documented in November 2003, which would make version "B" a "one-and-a-half year exploit" rather than a zero-day.
But version "Q," according to Symantec, exploits a "previously undocumented vulnerability in Microsoft Word 2000," implying that later versions now make use of a different technique. That fact doesn't have much benefit for the worm itself, whose signature still registers as Trojan.Mdropper in Norton AntiVirus. The vulnerability does not affect Office XP or Office 2003.
Secunia's description of this new version refers to a "memory corruption error" that is thus far undocumented, but does not go into specifics. If the Word 2000 vulnerability is, in fact, undocumented, then this new "Q" version could be credited with bringing the problem to light.
Sophos currently classifies the worm as W32/MoFei-P, and explains that the payload it drops onto infected systems has the power to download files from the outside, delete files on the system, and log and capture screen commands -- typical of most backdoors. Currently, Sophos gives the worm a "low" prevalence rating, though it updated its virus definition files yesterday to help users identify it.
Graham Cluley, Sophos' senior technology consultant, told BetaNews this morning, "We're not seeing evidence of it spreading very widely at the moment. It does appear that it is exploiting an as-yet unpatched vulnerability in Microsoft Word, and I think that's why some people are describing it as critical. Obviously a day-zero hole in a widespread piece of software like Microsoft Word that is being exploited by malicious code raises the temperature for a lot of people."
A lot of people, perhaps, but not Cluley, who advises users simply not to open unsolicited Microsoft Word documents as a matter of everyday principle.
One could argue that the fact that no time passed between the worm's discovery and that of the vulnerability it exploits, could qualify it as a "zero-day exploit." But that term has typically been used to raise red flags about security issues whose public revelation leads to near-instantaneous dangers.
In this case, even the trusted security companies that brought this issue to light continue to rate its severity among the lowest of categories, which could leave some wondering whether leveraging a phrase generally synonymous with "red alert" is actually doing users a service.
Microsoft acknowledged to BetaNews that its security division was investigating a "possible vulnerability in Microsoft Word," but declined to call it an actual security flaw.
"In order for this attack to be carried out," a Microsoft spokesperson explained, "a user must first open a malicious Word document that is sent as an e-mail attachment or otherwise provided to them by an attacker." Microsoft does believe some type of attack is taking place, but is uncertain whether it's a new attack -- as Symantec and others claim -- or simply a rehash of an old scenario.
"Upon completion of this investigation, Microsoft will take the appropriate action to protect our customers, which may include issuing a security advisory or providing a security update through our monthly release process, depending on customer needs," the spokesperson added.
Why, in 2006/2007, are system level remote access vulnerabilities based on APPLICATION vulnerabilities, still around?
We need OS's where escalation privs are no longer possible. Seriously, it's worth waiting for office 2009 if it means no more system level access.
Score: 0
|...because you are still using a LEGACY DESIGNED SYSTEW in WINDOWSXP.
Try OSX. It owns.
Score: 0
|OSX is just a refined version of what Linux has had around for a long time. Also a general rule is...
The more people use something the less secure it becomes.
If there were as many Mac users as there are Windows we'd be seeing these kinds of new articles about Mac and people would be saying the same thing about Windows you just said about Mac...net it?
It's just sad programmers can all get together to better avoid such issues and that they do need so much access to do so little on a machine. Windows Vista looks to fix some of this, but who knows with the users Windows has too much security is worse than not enough.
Score: 0
|While your general rule is probably accurate, it's misleading....a bit like being told that 50% of the patients with cancer at some hospital died....sounds very frightening until you discover that there were only 2 patients with cancer, 1 died!
In other words, while Unix/Linux/OSX might be less secure as user base grows, the real question is HOW MUCH LESS secure it would become? I don't think it would become much less secure.
Score: 0
|Apache, the world's most popular web server, works fine and rarely has security issues.
Score: 0
|I'd try OSX but I don't want to invest in a company that is smug and self-important. I can't stand apple's attitude and RDF, I don't care what their products do, I won't be part of that air of superiority.
Score: 0
|Very true it can be mis-leading. I called it a general rule, not an exact rule ;)
Yes, even if everyone and there dog used a *nix flavor, I feel there very essance would allow them to still be more secure. There code (for the most part) is WIDE open for ANYONE to find a hole in. Whicd does mean that "evil hacker" and use this to his advantage, but at the same time the "little guy in the corner" and also find this and submit it as a bug and/or offer a patch, where-as with Microsoft you have to wait for them to fix the bug...
Score: 0
|"In this case, even the trusted security companies that brought this issue to light continue to rate its severity among the lowest of categories, which could leave some wondering whether leveraging a phrase generally synonymous with "red alert" is actually doing users a service."
I haven't heard of many Office exploits being used anyways--sure, there were a couple of Word 97 viruses back in the day that I heard stories about, but not once have I witnessed a virus infection that was due to a Microsoft Word/Excel/Powerpoint/Access vulnerability.
Very few infections reported of the one mentioned here, while Trend Micro, Kaspersky, Grisoft, Avast, and perhaps others don't have any infections reported by their scanners as of yet.
Based on what I know about virus outbreaks, based on the reports, I'm guessing there have only been some odd dozen infections worldwide, and they are likely limited to one geographical area.
Score: 0
|