Fourth unpatched hole in Word

Symantec has reported a new trojan that penetrates Word on Windows PCs through a previously unknown hole. Called Trojan.Mdropper.W, the contaminant probably uses a buffer overflow in Word to write code into memory and launch it via specially prepared documents. Symantec does not, however, provide any details about the hole or describe which versions of Word or Office are affected. This is the fourth hole that Microsoft now needs to patch in addition to the three holes in Word that have still not been patched, even though they have been known for up to six weeks.

According to reports in the US media, Microsoft knows about the problem and has already received reports about attacks on users. Apparently, though, only a small number of attacks have taken place as yet. The trojan apparently works on Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003 and Windows XP.

Among other things, Mdropper.W connects to a server to receive additional commands. It also stores an empty Word file with the title "Summary on China's 2006 Defense White paper.doc" on the local hard drive. Symantec is providing signatures for its scanner to detect the trojan.

Users should be very careful before opening unsolicited documents; unless you are absolutely certain, you may want to ask the sender before opening attachments. As one of the exploits for Word demonstrated in December, switching to alternative products, such as OpenOffice, does not always help: that exploit also worked in Writer. It is not yet clear whether Word Viewer is also vulnerable. No exploits or samples of the contaminant have yet been made available to the public for testing. Word's Safe Mode may reduce the risk of an attack being successful.

Also see:

• Trojan.Mdropper.W, Symantec's description

(ehe)