Security Information Vulnerability Research Security Blog

The AV coverage of 12122006-djtest.doc PoC extremely poor

December 14th, 2006 by Juha-Matti, Filed under: Web, Microsoft, Commentary, Virus, Corporate Security

This a quite negative title is based to the current result of VirusTotal scan of Word 0-day PoC file 12122006-djtest.doc. This Proof of Concept file was publicly released on Tuesday 12th December [I’m not linking to the exploit/PoC site].

Complete scanning result of “12122006-djtest.doc” submitted to VirusTotal.com recently is the following:

–clip–

Antivirus Version - Update Result
AntiVir 7.3.0.15 - 12.13.2006 no virus found
Authentium 4.93.8 - 12.13.2006 no virus found
Avast 4.7.892.0 - 12.13.2006 no virus found

AVG 386 - 12.13.2006 no virus found
BitDefender 7.2 - 12.14.2006 Exploit.MSWord.Gen.2
CAT-QuickHeal 8.00 - 12.13.2006 no virus found
ClamAV devel-20060426 - 12.14.2006 no virus found
DrWeb 4.33 - 12.13.2006 no virus found
eSafe 7.0.14.0 - 12.13.2006 no virus found
eTrust-InoculateIT 23.73.85 - 12.14.2006 no virus found
eTrust-Vet 30.3.3248 - 12.13.2006 no virus found
Ewido 4.0 - 12.13.2006 no virus found
Fortinet 2.82.0.0 - 12.14.2006 no virus found
F-Prot 3.16f - 12.13.2006 no virus found
F-Prot4 4.2.1.29 - 12.13.2006 no virus found
Ikarus T3.1.0.26 - 12.13.2006 no virus found
Kaspersky 4.0.2.24 - 12.14.2006 no virus found
McAfee 4918 - 12.13.2006 no virus found
Microsoft 1.1804 - 12.14.2006 no virus found
NOD32v2 1920 - 12.13.2006 no virus found
Norman 5.80.02 - 12.13.2006 no virus found
Panda 9.0.0.4 - 12.13.2006 no virus found
Prevx1 V2 - 12.14.2006 no virus found
Sophos 4.12.0 - 12.13.2006 no virus found
Sunbelt 2.2.907.0 - 11.30.2006 no virus found
TheHacker 6.0.3.131 - 12.10.2006 no virus found
UNA 1.83 - 12.13.2006 no virus found
VBA32 3.11.1 - 12.13.2006 no virus found
VirusBuster 4.3.15:9 - 12.13.2006 no virus found

–clip–

Only one vendor of 29 has a protection as Exploit.MSWord.Gen.2.

It is worth of noticing that there are seven fingerprints dated on 14th Dec. When submitting the Word document to the service six hours ago there was no detections available.

The title of the exploit release states that it is a Code Execution issue, but the release doesn’t refer to MSRC Blog entries etc. Additionally, there is no CVE included.

According to the recent state of anti-virus protection I see this PoC related to the newer zero-day issue.

It is interesting that on Sunday 10th Dec McAfee reported this issue via existence of PWS-Agent.g Trojan. They reported that DAT4916 include protection:

Minimum DAT: 4916 (12/11/2006)

(link to the McAfee writeup included to my previous writing). Related to this PoC released on 12th Dec the most recent DAT files 4918 don’t have the protection, however.
If someone can confirm the target vulnerability of 12122006-djtest.doc please let me know.

UPDATE: Due to the latest conclusion this is a totally new, third unpatched vulnerability in Word. McAfee AVERT Labs has confirmed this too.

UPDATE #2: This vulnerability has been confirmed by US-CERT now:
Microsoft Word malformed pointer vulnerability and is public CVE-2006-6561.

DiggRedditSlashdotTwitThisSphinnStumbleUpondel.icio.usFacebookGoogleTechnoratiE-mail this story to a friend!

-

Is your site safe from XSS Attacks? Sig nup for Beyond Security Vulnerability Scanner today!

11 Comments:

  1. Juha-Matti, on December 14th, 2006 at 4:08 am Said:

    Answer to questions:
    Sorry, I can’t and I will not e-mail PoC files to the individuals in any way.

  2. dav, on December 14th, 2006 at 10:58 am Said:

    Virustotal manual scanning is not unreliable! You have to execute the doc document and the trojan is detected!!!!
    Microsoft, Symantec, McAfee and Sophos are able to detect these 0-day exploit.

  3. gadi, on December 14th, 2006 at 12:48 pm Said:

    This isn’t a 0day, it was disclosed in full-disclosure mode on the fuzzing mailing list. We really should not let the media force us to abuse these terms.

  4. mav, on December 14th, 2006 at 3:09 pm Said:

    Looks like also the first Word bug was already disclosed since November. More info on this new blog post from Symantec: http://www.symantec.com/enterprise/security_response/weblog/2006/12/ms_word_the_bug_the_exploit_th.html

  5. cass, on December 14th, 2006 at 4:00 pm Said:

    your test is wrong because the file http :// www.milw0rm.com /sploits/ 12122006-djtest.doc
    doesn’t contain trojans and so it’s not dangerous.
    That file is just a PoC i.e. only a crash. :-)

  6. cass, on December 14th, 2006 at 6:55 pm Said:

    OpenOffice 2 also crash on that doc.

  7. Juha-Matti, on December 14th, 2006 at 11:13 pm Said:

    Thanks cass!
    Only version 1.1.3 was confirmed as affected earlier.

  8. SecuriTeam Blogs » These two weeks of Word flaws - can we survive?, on December 15th, 2006 at 1:00 am Said:

    […] Related to the third issue new submission to VirusTotal has been done. The are some better results now: […]

  9. Juha-Matti, on December 15th, 2006 at 11:00 am Said:

    Cass, is it the latest version OO2.1.0 you have tested?

  10. sylphid, on December 15th, 2006 at 11:23 am Said:

    TextMaker 2006 also crash on that doc. :(

  11. Juha-Matti, on December 15th, 2006 at 7:05 pm Said:

    Vulnerability in OOv2.1 has been confirmed via this:
    http://www.securityfocus.com/archive/1/454514/30/0/threaded

Leave a Comment

Security RSS Subscribe


Vulnerability Scanner