来自中国的Unofficial Registry Script Blunts MS Word Zero-Day Attack

May 22, 2006
In the absence of a patch for a dangerous code execution hole in Microsoft Word, security experts are recommending that Windows users implement software restriction policies to blunt the effects of ongoing zero-day attacks. Just days after anti-virus vendors warned that malicious hackers with links to China and Taiwan were exploiting the vulnerability to launch attacks against select business targets, independent researcher Matthew Murphy says Windows XP users can mitigate the risk by simply using the "Basic User" SRP (software restriction policy). "By using the Basic User SRP, users can launch Microsoft Word without the ability to write to certain registry and file system locations that the in-the-wild malware requires access to," Murphy said in an entry on the SecuriTeam blog. "This is a stop-gap measure based on the threat profile of the malware at this time and is only necessary if you're still running interactively as an administrator," he added. Click here to read about how Microsoft was recently rocked by an Internet Explorer zero-day flaw warning. "If you are, it should be a priority to change that if at all possible," said Murphy, a security researcher who has worked closely with Microsoft's security response center in the past. "[O]rganizations and individuals who follow best-practice and log on interactively as non-administrators are currently not at risk. Based on feedback, I should also note that you are at less risk from any exploit of this vulnerability if the vulnerable application is running without full privilege," he added. Murphy also released a registry script that sets a Software Restriction Policy that runs any instance of 'winword.exe' with the 'Basic User' policy. He made it clear that the effectiveness of registry fix script is entirely based on known characteristics of the payload and warned that future variants may alter the way the flaw is exploited. Because Microsoft Word is such a widely used software program—at home and in the enterprise—the potential for a widespread attack remains significant. However, security experts maintain that the number of actual compromises remain very low because the first attack was pointed at very specific targets. On the MSRC blog, Microsoft program manager Stephen Toulouse confirmed the flaw and the attacks and said a software update is scheduled for June 13 to provide a comprehensive fix. "The attack vector here is Word documents attached to an e-mail or otherwise delivered to a user's computer. The user would have to open it first for anything to happen. That information isn't meant to say the issue isn't serious; it's just meant to clearly denote the scope of the threat," Toulouse explained. He also confirmed that the attack requires admin rights and urged users to set limitations on user accounts to mitigate the risk. The MSRC is investigating what is described as "singular reports of attacks" against a "couple of customers" that have been targeted. The company has added detection signature updates to its Windows Live Safety Center. Toulouse also shared some details of the attacks, noting that the first wave provided evidence of commonality. "The attack we've seen is e-mail based. The e-mails tend to arrive in groups; they often have fake domains that are similar to real domains of the targets, but the targets are valid e-mail addresses," he explained. Only two subject lines have been used so far. One is simply the word "Notice" and the other reads: "RE Plan for final agreement."