来自中国的Unofficial Registry Script Blunts MS Word Zero-Day Attack

原创 2006年05月24日 13:16:00

 


In the absence of a patch for a dangerous code execution hole in Microsoft Word, security experts are recommending that Windows users implement software restriction policies to blunt the effects of ongoing zero-day attacks.

Just days after anti-virus vendors warned that malicious hackers with links to China and Taiwan were exploiting the vulnerability to launch attacks against select business targets, independent researcher Matthew Murphy says Windows XP users can mitigate the risk by simply using the "Basic User" SRP (software restriction policy).

"By using the Basic User SRP, users can launch Microsoft Word without the ability to write to certain registry and file system locations that the in-the-wild malware requires access to," Murphy said in an entry on the SecuriTeam blog.

"This is a stop-gap measure based on the threat profile of the malware at this time and is only necessary if you're still running interactively as an administrator," he added.

PointerClick here to read about how Microsoft was recently rocked by an Internet Explorer zero-day flaw warning.

"If you are, it should be a priority to change that if at all possible," said Murphy, a security researcher who has worked closely with Microsoft's security response center in the past.

"[O]rganizations and individuals who follow best-practice and log on interactively as non-administrators are currently not at risk. Based on feedback, I should also note that you are at less risk from any exploit of this vulnerability if the vulnerable application is running without full privilege," he added.

Murphy also released a registry script that sets a Software Restriction Policy that runs any instance of 'winword.exe' with the 'Basic User' policy.

He made it clear that the effectiveness of registry fix script is entirely based on known characteristics of the payload and warned that future variants may alter the way the flaw is exploited.

Because Microsoft Word is such a widely used software program—at home and in the enterprise—the potential for a widespread attack remains significant.

eWEEK Special Report: Securing Windows

However, security experts maintain that the number of actual compromises remain very low because the first attack was pointed at very specific targets.

On the MSRC blog, Microsoft program manager Stephen Toulouse confirmed the flaw and the attacks and said a software update is scheduled for June 13 to provide a comprehensive fix.

"The attack vector here is Word documents attached to an e-mail or otherwise delivered to a user's computer. The user would have to open it first for anything to happen. That information isn't meant to say the issue isn't serious; it's just meant to clearly denote the scope of the threat," Toulouse explained.

He also confirmed that the attack requires admin rights and urged users to set limitations on user accounts to mitigate the risk.

The MSRC is investigating what is described as "singular reports of attacks" against a "couple of customers" that have been targeted.

The company has added detection signature updates to its Windows Live Safety Center.

Toulouse also shared some details of the attacks, noting that the first wave provided evidence of commonality.

"The attack we've seen is e-mail based. The e-mails tend to arrive in groups; they often have fake domains that are similar to real domains of the targets, but the targets are valid e-mail addresses," he explained.

Only two subject lines have been used so far. One is simply the word "Notice" and the other reads: "RE Plan for final agreement."

相关文章推荐

Unofficial.Guide.to.Microsoft.Office.Word.2007

  • 2011年12月01日 15:53
  • 17.31MB
  • 下载

DoubleAgent: Zero-Day Code Injection and Persistence Technique

转自:https://cybellum.com/doubleagentzero-day-code-injection-and-persistence-technique/ Overview ...

Zero Day Exploit Countdown to Darkness.rar

  • 2007年11月06日 09:21
  • 2.46MB
  • 下载

方式程0day MS17-010远程溢出漏洞测试

最近那个WannaCry勒索病毒搞的沸沸扬扬,据了解该病毒利用了方程式泄露的0day MS17-010(永恒之蓝)进行传播。 据说这个漏洞是支持winxp-win2012,测试一下这个漏洞到底如何。 ...

MS11-046 Dissecting a 0 day

  • 2016年01月03日 00:30
  • 699KB
  • 下载

MS15-077 HT Windows字体提权0day 源码+exp

微软已有补丁,MS15-077,影响win2003-win2012全版本系统,x64自行编译% m8 @9 u6 j) t  E' L& x - 低调求发展& R  l/ }9 ]( \8 V3...

PDF文件【由Latex、CTex或MS Word等生成】嵌入所有字体的快速解决方法

原文地址:http://software.intel.com/zh-cn/blogs/2011/09/03/pdflatexctexms-word/?cid=sw:prccsdn1974 作...
  • Hencoff
  • Hencoff
  • 2012年07月03日 22:16
  • 3875
内容举报
返回顶部
收藏助手
不良信息举报
您举报文章:来自中国的Unofficial Registry Script Blunts MS Word Zero-Day Attack
举报原因:
原因补充:

(最多只允许输入30个字)