Microsoft is readying a security update for Word to help stop a zero-day attack. The original attack method involved highly tailored social engineering to infiltrate systems, where documents were emailed to a specific target company. The email was made to appear legitimate by using exact information to coax the recipient into opening the attached Word document.
However, a savvy recipient noticed an oddity with the sender's domain name, which prompted further investigation that revealed the attempted attack. When opened, the Word document drops a Trojan onto the system and overwrites the original Word document to remove traces of the attack vector.
A few days after the intial attack was exposed new exploits, subsequently named GinWui, began to appear. The GinWui Trojan reportedly hooks into various system DLLs in an effort to hide its presense and opens a backdoor that lets an intruder access a command shell, take screenshots, and gather sytem information. According to Microsoft's advisory the attack affects Word XP (also known as Word 2002) and Word 2003.
Microsoft said that it is in the final testing stages for a patch, which should become available as part of its next monthly security update scheduled for June 13, 2006. In the meantime Microsoft recommends workarounds to help prevent a successful attack. The workarounds include disabling Word as the email editor for Outlook and running Word in safe mode by using the "/safe" command line switch. Details of the workarounds can be found in Microsoft's advisory.
