Patch/Configuration Management, Vulnerability Management

Unofficial registry fix out for Microsoft Word flaw

A researcher has released an unofficial fix for the latest flaw in Microsoft Word.

Matthew Murray posted on the SecuriTeam Blogs last week that the flaw, affecting Office XP and 2003, is being exploited by highly-targeted attacks requiring the user to have administrator privileges.

Murray made available a registry script that sets a software restriction policy (SRP) running winword.exe files with only the basic user policy.

"By using the ‘basic user’ SRP, users can launch Microsoft Word without the ability to write to certain registry and file system locations that the in-the-wild malware requires access to," Murray said on his blog. "This is a stop-gap measure based on the threat profile of the in-the-wild malware at this time and is only necessary if you’re still running interactively as an administrator."

However, Murray also warned that the registry fix would be effective only as long as the characteristics of the exploit’s payload remained the same.

"As such, it is possible that future variants of the in-the-wild exploits will eliminate the dependence on administrative privileges and thus, reduce the effectiveness of this workaround," he said.

Stephen Toulouse, head of the Microsoft Security Response Center, did not say in a Tuesday posting on the group’s weblog whether Redmond would release an early, out-of-cycle patch for the flaw.

The Microsoft advisory, he said, "is of course just a place holder while we are working on the update, which is still on track to be released in the June cycle or sooner if needed."

Both Microsoft and eEye Digital Security released advisories for the Word flaw on Monday.

Microsoft said it was getting only reports of limited zero-day attacks on systems running affected versions of Word.

Symantec warned PC users last week about activity surrounding the flaw, including malicious PowerPoint slides and Excel charts, a trojan called Backdoor.Ginwui and a malicious Word document called Trojan.Mdropper.H.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.