来自中国的Unofficial Registry Script Blunts MS Word Zero-Day Attack

原创 2006年05月24日 13:16:00


In the absence of a patch for a dangerous code execution hole in Microsoft Word, security experts are recommending that Windows users implement software restriction policies to blunt the effects of ongoing zero-day attacks.

Just days after anti-virus vendors warned that malicious hackers with links to China and Taiwan were exploiting the vulnerability to launch attacks against select business targets, independent researcher Matthew Murphy says Windows XP users can mitigate the risk by simply using the "Basic User" SRP (software restriction policy).

"By using the Basic User SRP, users can launch Microsoft Word without the ability to write to certain registry and file system locations that the in-the-wild malware requires access to," Murphy said in an entry on the SecuriTeam blog.

"This is a stop-gap measure based on the threat profile of the malware at this time and is only necessary if you're still running interactively as an administrator," he added.

PointerClick here to read about how Microsoft was recently rocked by an Internet Explorer zero-day flaw warning.

"If you are, it should be a priority to change that if at all possible," said Murphy, a security researcher who has worked closely with Microsoft's security response center in the past.

"[O]rganizations and individuals who follow best-practice and log on interactively as non-administrators are currently not at risk. Based on feedback, I should also note that you are at less risk from any exploit of this vulnerability if the vulnerable application is running without full privilege," he added.

Murphy also released a registry script that sets a Software Restriction Policy that runs any instance of 'winword.exe' with the 'Basic User' policy.

He made it clear that the effectiveness of registry fix script is entirely based on known characteristics of the payload and warned that future variants may alter the way the flaw is exploited.

Because Microsoft Word is such a widely used software program—at home and in the enterprise—the potential for a widespread attack remains significant.

eWEEK Special Report: Securing Windows

However, security experts maintain that the number of actual compromises remain very low because the first attack was pointed at very specific targets.

On the MSRC blog, Microsoft program manager Stephen Toulouse confirmed the flaw and the attacks and said a software update is scheduled for June 13 to provide a comprehensive fix.

"The attack vector here is Word documents attached to an e-mail or otherwise delivered to a user's computer. The user would have to open it first for anything to happen. That information isn't meant to say the issue isn't serious; it's just meant to clearly denote the scope of the threat," Toulouse explained.

He also confirmed that the attack requires admin rights and urged users to set limitations on user accounts to mitigate the risk.

The MSRC is investigating what is described as "singular reports of attacks" against a "couple of customers" that have been targeted.

The company has added detection signature updates to its Windows Live Safety Center.

Toulouse also shared some details of the attacks, noting that the first wave provided evidence of commonality.

"The attack we've seen is e-mail based. The e-mails tend to arrive in groups; they often have fake domains that are similar to real domains of the targets, but the targets are valid e-mail addresses," he explained.

Only two subject lines have been used so far. One is simply the word "Notice" and the other reads: "RE Plan for final agreement."

Alert Raised for MS Word Zero-Day Attack(最新漏洞情况报告)

 zero-day flaw in the ubiquitous Microsoft Word software program is being used in an active exploit ...
  • iiprogram
  • iiprogram
  • 2006年05月24日 13:18
  • 1128

FckEditor中从word文档粘贴过来的内容在点击确定清除格式后直接清除而不是再弹出从MS WORD粘贴对话框

其实原理很简单,就是在点击确定按钮后把粘贴板的内容直接放在编辑框就行。 fckedior默认是在点击确定按钮后又弹出一个从Ms word粘贴对话框,而且粘贴的内容也要重新再ctrl+v一下,很不...
  • hua00shao
  • hua00shao
  • 2013年09月29日 20:16
  • 711


1.   xxx from registry localhost:2181 use dubbo version 2.8.4, Please check registry access list 问题原...
  • king_aric
  • king_aric
  • 2016年01月05日 10:46
  • 3709

Unofficial Windows Binaries for Python Extension Packages (网址及作用)

在Windows平台上,如果你用的python有缺什么package,若在Python Package Index找不到合适的,也可到这地方找 (http://www.lfd.uci.edu/~goh...
  • jjddss
  • jjddss
  • 2017年06月12日 14:55
  • 303


简介 写发展办公室的COM加载项,在以前的文章后,我得到了很多人试图编写的Word加载项的邮件。通过本文,我们将讨论共同发展的问题,一般的Word加载项。首先,我们学习如何构建一个简单的Word 2...
  • wishfly
  • wishfly
  • 2014年10月10日 08:59
  • 1305

检测到 [SID: 23179] MSRPC Server Service BO。 已禁止来自此应用程序的通信: C:/WINDOWS/system32/ntoskrnl.exe 解决办法

Sep报 ntoskrnl通信被禁止处理建议1,  病毒日志:检测到 [SID: 23179] MSRPC Server Service BO。已禁止来自此应用程序的通信: C:/WINDOWS/sy...
  • lhfeng
  • lhfeng
  • 2010年12月23日 16:49
  • 7008


  • w26Y3t53EfqaI0MFeQBa
  • w26Y3t53EfqaI0MFeQBa
  • 2018年01月09日 00:00
  • 177

Templates for MS Word by GN for Mac(MS Word模板集合) v4.0已激活版

Templates for MS Word by GN for Mac(MS Word模板集合) v4.0已激活版,详见博客:http://003e5258-ab01-4b8c-83e6-a78718...
  • romances
  • romances
  • 2018年01月07日 15:09
  • 29

C#操作MicroSoft Word的代码

C#操作Microsoft Office的代码本代码包含: word的创建 插入文字,选择文字,编辑文字的字号、粗细、颜色、下划线等 设置段落的首行缩进、行距 设置页面页边距和纸张大小 设置页眉、页码...
  • wkl115211
  • wkl115211
  • 2017年08月07日 14:08
  • 1310

Microsoft Word 2007的一些操作

1.如何去掉页眉或页脚处的横线?    使页眉处于可编辑状态,然后在“开始”选项卡里选择正文样式即可; 2.如何在当前页插入分节符,此行为可在侯马在当前页插入分节符,只需在“页面布局”选项...
  • Galaxy_Li
  • Galaxy_Li
  • 2012年09月14日 23:59
  • 580
您举报文章:来自中国的Unofficial Registry Script Blunts MS Word Zero-Day Attack