Severity: Medium
9 July, 2008
Summary:
§ These vulnerabilities affect: Microsoft Word 2002 w/SP3. Doesn’t affect any other versions of Word.
§ How an attacker exploits them: By enticing one of your users into downloading and opening a malicious Word document
§ Impact: An attacker can execute code, potentially gaining complete control of your user’s computer
§ What to do: Implement workarounds found in the “Solution Path” section below
Severity: Medium
9 July, 2008
Summary:
§ These vulnerabilities affect: Microsoft Word 2002 w/SP3. Doesn’t affect any other versions of Word.
§ How an attacker exploits them: By enticing one of your users into downloading and opening a malicious Word document
§ Impact: An attacker can execute code, potentially gaining complete control of your user’s computer
§ What to do: Implement workarounds found in the “Solution Path” section below
Exposure:
In a security advisory quietly released during Patch Day, Microsoft warns of a serious unpatched vulnerability in Word 2002 with Service Pack 3 (SP3) that attackers have begun exploiting on the Internet. Since they just discovered this vulnerability in the wild, Microsoft doesn’t describe it in any technical detail. However, they do describe how an attacker might leverage the new vulnerability: By enticing one of your users into opening a maliciously crafted Word document, an attacker could exploit this flaw to execute code on that user’s machine, with that user’s privileges. If the user has local administrator rights, the attacker would gain full control of the user’s machine.
Since attackers have already begun leveraging this flaw in the wild (in what Microsoft describes as targeted attacks), we highly recommend you implement one of the workarounds suggested below.
Solution Path:
Microsoft has not had time to release a patch yet for this vulnerability. We will update this alert as soon as they do. Until that time, you can mitigate the risk of this vulnerability in the following ways:
§ Inform your users of this breaking vulnerability. Warn your users of this new flaw and remind them to avoid saving or opening unsolicited Word documents, whether or not they trust the source of the document. If they receive an unsolicited document from someone they trust, they should contact that source first, to ensure that the document is indeed legitimate.
§ Keep your antivirus (AV) software up-to-date. Many AV products will eventually release signatures for this new threat, if they haven’t done so already. Be sure to set your AV software to update automatically, so you’ll get those updates as soon as possible.
§ Block Word documents at your perimeter. Some perimeter security devices, including WatchGuard’s Firebox line, are able to block certain types of content at your gateway. If you like, you can set these devices to block all Word files that arrive via HTTP, SMTP, or FTP. (Of course, some businesses need to receive Word files on a daily basis; in that case, you can either skip this workaround, or have legitimate senders zip their Word files before sending them.)
For All WatchGuard Users:
Many of WatchGuard’s Firebox models allow you to prevent your users from accessing Word (.doc) files via the web (HTTP) or email (SMTP, POP3). So, you can temporarily mitigate the risk of this vulnerability by blocking .doc files using your Firebox’s proxy services (video instructions below). Again, if blocking Word documents will disrupt your business, you can skip this workaround or ask legitimate senders to zip their Word files.
If you choose to block Word documents, follow the links below for video instructions on using your Firebox proxy’s content blocking features to block .doc files by their file extensions:
§ Firebox X Edge running 10.x
§ How do I block files with the FTP proxy? (Video, 2:30)
Windows Media, 17.4MB / QuickTime, 11.8MB
§ How do I block files with the HTTP proxy? (Video, 2:52)
Windows Media, 32MB / QuickTime, 28.6MB
§ How do I block files with the POP3 proxy? (Video, 2:35)
Windows Media, 17.6MB / QuickTime, 16.5MB
§ How do I block files with the SMTP proxy? (Video, 2:18)
Windows Media, 12.2MB / QuickTime, 9.1MB
§
§ Firebox X Core and X Peak running Fireware 10.x
§ How do I block files with the FTP proxy? (Video, 2:30)
Windows Media, 25.2MB / QuickTime, 9.1MB
§ How do I block files with the HTTP proxy? (Video, 2:52)
Windows Media, 38.2MB / QuickTime, 10.7MB
§ How do I block files with the POP3 proxy? (Video, 2:35)
Windows Media, 23.2MB / QuickTime, 10.1MB
§ How do I block files with the SMTP proxy? (Video, 2:18)
Windows Media, 25.6MB / QuickTime, 9.0MB
Status:
Microsoft hasn’t had time to release a patch for this zero day vulnerability. We will inform you when they do.