Application security, Patch/Configuration Management, Vulnerability Management

Microsoft Office trojan appears in wake of Patch Tuesday


Security experts continue to track a low-risk trojan that takes advantage of a recently patched critical vulnerability, the second Windows flaw to be exploited since Redmond released its August security update.

The trojan, dubbed Trojan.Mdropper by Symantec, exploits a vulnerability in Microsoft Office and Visual Basic for Applications, permitting an attacker to take over control of a computer, according to an advisory from the anti-virus giant. The flaw affects MS Office 2000, MS Office XP and Visual Basic for Applications 6.0, 6.2, 6.3 and 6.4.

The trojan appears as a Microsoft Word document and infects systems by either being unknowingly downloaded from the internet or a spammed email, or being "dropped" by other malware, a Trend Micro advisory said.

Once the trojan is executed, a specially crafted .xls file causes the application to drop and execute an embedded malicious .exe file, the advisory continued.

Security firms said the threat was minimal and said it would be easy to contain and remove. Microsoft bulletin MS06-047 fixed the flaw.

"Customers who have installed MS06-047 and updated their anti-virus software are at a reduced risk from infection by the trojan," a Microsoft spokesman said in an e-mail today. "Our own internal investigative teams have determined this is a "low" threat and we are not currently aware of widespread customer impact."

However, few anti-virus solutions currently can detect the malware, according to the SANS Internet Storm Center. The Microsoft spokesman said that for added protection, users should "exercise exterme caution when visiting unfamiliar or distrusted websites."

Reports of this exploit come just days after researchers reported a more serious, bot-enabled exploit of a critical Windows server service flaw, also patched last week. Some analysts predicted a major worm attack would ensue because the critical vulnerability is remotely and anonymously exploitable on all unpatched versions of Windows.

But Microsoft experts disputed these claims, saying the threat remains limited to Windows 2000 and seems contained. Posting on the Microsoft Security Response Center blog, the experts credited quick patching with preventing mass propagation.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.