Microsoft Word 0-day Vulnerability FAQ – September 2006, CVE-2006-4534 [UPDATED]

This is Frequently Asked Questions document about new zero-day vulnerability in Microsoft Word. The document describes related malwares as well.

Update: Fix is included to Microsoft Security Bulletin MS06-060.

Q: What is the recent Microsoft Word 0-day vulnerability discovered in September?
A: This vulnerability is caused by an unknown error when processing malformed Word documents. The issue was disclosed via malware descriptions informing new Trojan exploiting undocumented, previously unknown vulnerability in Microsoft Word version 2000.

Q: How does the vulnerability mentioned work?
A: The vulnerability is code execution type vulnerability. Attacker successfully exploiting this vulnerability can run code of his or hers choice in the affected machine. Executing arbitrary code is done with the recent privileges of logged user.
UPDATE: One of the security advisories published on 5th Sep states that this vulnerability is caused due to memory corruption.
UPDATE #2: Microsoft has informed that using a malformed string in Word document will corrupt system memory. This enables executing arbitrary code of the attacker.

Q: When this vulnerability was found?
A: The first malware description was published on Friday 1st September with minimum details. There is information about samples received by one AV vendor on the same day.

Q: What is the mechanism in spreading?
A: It appears that malicious files were spreaded via Web pages.

Q: Is this one of the critical vulnerabilities reported on 8th August with MS August Security Bulletins?
A: No. This is a different, unpatched vulnerability. Vulnerabilities fixed in MS06-048 are different issues.

Q: Which Windows versions are affected?
A: Microsoft Word installations used in Windows 95, Windows 98, Windows Me, Windows NT, Windows 2000, Windows XP and Windows 2003 Server systems are reportedly affected.

Q: What Word versions are affected?
A: It is reported that Word 2000 as part of Office 2000 is affected. Other Word versions can be affected too, however.
UPDATE: Security advisories published on 5th Sep. confirm Word 2000 and Office 2000 as affected.
NOTE:
It is worth of noticing that other, newer Word versions are possibly affected as well. It is possible that Office 2000/Windows 2000 installation are used at target organisations of this case. Due to licence policy many companies don’t purchase new Office suites for older (W2K-type) computers.

Q: Is Word Viewer utility affected too?
A: This information is not available.
UPDATE: Microsoft security advisory lists Word Viewer as immune.

Q: Is Microsoft Works Suite affected too?
A: Again, at time of writing there is no any official information about this.

Q: Is Microsoft Word for Mac (versions X and 2004) affected in this vulnerability?
A: There is no information about this.

Q: I am using non-English version of Microsoft Word. Am I affected?
A: As of 4th September it is impossible to say. Exact information about affected language versions is not available yet.
It is recommended to avoid opening Word documents from untrusted sources on English-language and non-English systems.

Q: Where are the official Microsoft documents related to this case located?
A: Possible upcoming documents published by Microsoft are located at Microsoft Security Response Center (MSRC) Blog site. The address of this site is blogs.technet.com/msrc/default.aspx. If an official security advisory will be published the location of this advisory is Microsoft Security Advisories section of Microsoft TechNet Security site, www.microsoft.com/technet/security/advisory/default.mspx.
UPDATE: Microsoft Security Advisory #925059 has been released:
www.microsoft.com/technet/security/advisory/925059.mspx
MSRC Blog entry is not expected any more.

Q: How can I protect from this vulnerability?
A: The best advice is to use anti-virus software protecting from this specific malware and check that virus signature files are up-to-date. See related item discussing about opening Word documents.

Q: Is the exploit code of this vulnerability publicly released?
A: No.

Q: Is there PoC-type sample file of this vulnerability publicly available?
A: No.

Q: Is it safe to open any .DOC files any more?
A: It is very important not to open Word files from unknown sources: e-mail, Web pages, instant messenger etc.

Q: Are there any visual effects informing about the infection?
A: No.

Q: Are there any changes to file system made by related malware?
A: Yes. The file WINWORD.EXE is being dropped to the Windows %Systemroot% folder.

When the related worm activates it will drop the following files:
Windows\System32\clipbook.exe [30,720 bytes]
Windows\System32\clipbook.dll [33,713 bytes]
File clipbook.dat (harmless file) will be dropped as well.
UPDATE: Added file sizes.

Additionally, it drops the file Mofei.cfg to %Windir%\System32.

NOTE: Variable %Windir% is normally Windows or Winnt.
Folder name ‘Winnt’ is used in older OSs, Windows 2000 and NT4.0, however.

This worm-type malware adds the service “Clipbook” to the Windows Control Panel. It is worth of mentioning that if this service is already installed, the malware will replace it with itself. I.e. the existence of Clipbook service doesn’t state is the workstation affected or no.

Q: What are the names of malwares exploiting this vulnerability?
A: There is one dropper component for this malware. This dropper installs a malicious executable which includes the Trojan functionality itself.
NOTE: Some AV vendors see this malware as a worm (Mofei), and some vendors as a backdoor Trojan (Femo, Mofei) without worm mechanism.
W32.Mofei.worm (aka W32.Femot.Worm) spreads by copying itself to network shares. This worm was originally discovered in the wild in summer 2003. When the dependencies of these malwares have been confirmed this FAQ document will be updated.

The following names are being used:

Trend Micro:
TROJ_MDROPPER.BR [dropper]
WORM_MOFEI.AK [Trojan]

Symantec:
Trojan.Mdropper.Q [dropper]
Backdoor.Femo [Trojan] in the wild in 2003 already

McAfee:
W32/MoFei.worm.dr [dropper]
W32/Mofei.worm [worm]

Kaspersky:
Trojan-Dropper.MSWord.1Table.bv [dropper]

Sophos:
W32/Mofei-P [spyware worm]
W32/Mofei-Q [worm]

Microsoft:
Win32/Wordjmp [dropper]
Win32/Mofeir [related worm]

The list is not coverage yet.
Some AV vendors have reported they have a sample file and analyses have been started.

At time of FAQ document release the most important point of view if the existence of backdoor capabilities. 0-day vulnerabilities in Office programs are widely used to industrial espionage during last months.

Q: My AV vendor doesn’t list names of these types at their Web pages. How do I know my AV software protects me?
A: It’s possible that anti-virus software has protection to this threat, but malware database at their Web page doesn’t include specific write-up yet because of weekend etc. The best way is to check the situation from your AV vendor.
This document will be updated to include new names assigned.

Q: Is there Internet Storm Center documents available about the issue?
A: Yes. Internet Storm Center (ISC) has released the following Diary entry: isc.sans.org/diary.php?storyid=1669

Q: Is there CME name to this related malware available?
A: No. The Common Malware Enumeration (CME) project has not assigned an identifier to this malware.

Q: Does Windows Live Safety Center detect this malware?
A: UPDATE: Detection was added on 5th September as Win32/Wordjmp and
Win32/Mofeir (related worm).

Q: What is the file name used in related infection cases?
A: This information is not available. It appears that the malicious file was not spreaded with e-mail. At time of writing it is not known are the malicious Web sites spreading this file mentioned working.

Q: Is there information about file size used?
A: Yes. The size of the Microsoft Word document is 79,265 bytes. It is not sure if the .DOC file extension is used.
UPDATE: These malicious documents have three pages of content.

Q: What is the content of the Word document?
A: This information is not available.

Q: Is any user interaction needed when opening malicious Word file?
A: No. Opening a malformed Word file triggers a vulnerability with malicious executable embedded inside the Word document.

Q: Is it safe to open Word documents coming from trusted, known sender during next days?
A: The answer is yes and no. These days you can’t trust that the sender information included to message Word file attached is truthful (if the attacker uses e-mail attack vector too). If You are not sure, You can always call to the sender if e-mail including .DOC attachments arrives unexpectedly.
Additionally, it is possible to include malicious Microsoft Word files as embedded files to Microsoft Excel files, or Microsoft PowerPoint files.

Q: Is it possible that malicious Word files (.DOC file extension etc.) are located at Web pages too?
A: Yes. It is possible that attackers can locate malformed Word files to Web pages. In this case this method is reportedly used. Some other attack vectors are IM applications, USB sticks, removable drives, floppy disks etc.

Q: Does the filtering Word documents at network perimeter protect me?
A: No. Normally Windows will open files with file header information, i.e. filtering by extension is not the way you can trust.

Q: What is the vulnerable component affecting this vulnerability?
A: This information is not available, but probably the error is in Winword.exe executable itself.

Q: When the fix to this vulnerability is expected?
A: It is impossible to say. Normally Microsoft security advisory includes information about the fixing timeline of unpatched vulnerabilities. The next monthly security updates are scheduled to 12th September, 2006.
UPDATE: Microsoft has informed that upcoming monthy updates include one Microsoft Security Bulletin affecting Microsoft Office. One security bulletin may include fixes for several Office (Word, Excel etc.) issues. Reportedly the highest maximum severity rating for these updated is Critical, highest in use. Link to the Advance Notification program page is
www.microsoft.com/technet/security/bulletin/advance.mspx

The following information has been released:
Actions related to this vulnerability may include providing a security update through monthly release process or providing an out-of-cycle security update, depending on needs.

UPDATE: Security Bulletin MS06-060 includes a fix now.

Q: Is there CVE name available to this issue?
A: No. Submission to Common Vulnerabilities and Exposures project (cve.mitre.org) was done by the FAQ author on 4th September.
UPDATE: This issue has been assigned as CVE-2006-4534 on 5th September:
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4534

Q: Is there rootkit techniques included to malwares exploiting this vulnerability?
A: Yes. Clipbook.dll will inject itself into the LSASS.EXE process.

Q: Is there information about the origin of related malware authors?
A: No.

(c) Juha-Matti Laurio, Finland (UTC +3hrs)

Revision History:
1.0 04-09-2006 Initial release
1.1 04-09-2006 Minor updates
1.2 05-09-2006 Added new information and fixed the document
1.3 05-09-2006 Added Sophos’s worm detection information
1.4 05-09-2006 Added CVE-2006-4534 to the document text and title field, added new information
1.5 06-09-2006 Added file sizes of clipbook.exe and clipbook.dll, length of Word document (3 pages) and Microsoft’s dropper/worm detection information
1.6 06-09-2006 Added information about published Microsoft Security Advisory #925059
1.7 07-09-2006 Added new worm detection information and updated the document
1.8 10-09-2006 Added new information and link to MS Security Bulletin Advance Notification page
1.9 08-12-2006 Added information about published security update MS06-060

Updated items include word ‘UPDATE:’

Share