Microsoft Word 0-day Vulnerability FAQ – December 2006, CVE-2006-5994 [UPDATED]

This is Frequently Asked Questions document about new zero-day vulnerability in Microsoft Word. The document describes related Trojan malwares as well.
Update: This vulnerability was fixed in February 2007 with MS07-014.

Q: What is the recent Microsoft Word 0-day vulnerability disclosed in December?
A: This vulnerability is caused by an unknown error when processing malformed Word documents. The issue was disclosed by the vendor. Late on 5th December Microsoft reported about zero-day type attacks using undocumented, previously unknown vulnerability in Microsoft Word products. Microsoft released Security Advisory to provide a notification of a “publicly disclosed vulnerability”.
Q: How does the vulnerability mentioned works?
A: The vulnerability is code execution type vulnerability. Attacker successfully exploiting this vulnerability can run code of his or hers choice in the affected machine. Executing arbitrary code is done with the recent privileges of logged user.
This vulnerability is caused due to memory corruption when handling a malformed string in Word document. This enables executing arbitrary code of the attacker.

Q: When this vulnerability was found?
A: The Microsoft Security Advisory was published on Tuesday 5th December with minimum technical details.
Q: What is the mechanism in spreading?
A: Information was not disclosed, but e-mail method is the most common ways being used in previous targeted Office attacks this year. Update 14th Dec: Symantec has confirmed that the Trojan may arrive as file attachment.
Q: Which Windows versions are affected?
A: Microsoft Word installations used in Windows 95, Windows 98, Windows Me, Windows NT, Windows 2000, Windows XP, and Windows 2003 Server systems are reportedly affected.

Q: What Word versions are affected?
A: It is reported that Word 2003, Word 2002 (aka Word XP) and Word 2000 are affected. Other Word versions can be affected too, however.

Additionally, Word 2004 for Mac OS and Word 2004 v. X for Mac are affected too.

Microsoft lists Microsoft Word Viewer 2003 and Microsoft Works versions 2006, 2005, and 2004 as vulnerable products too.

Q: Is the Office viewer utility – Word Viewer – affected too?
A: Yes. Vendor’s security advisory lists Word Viewer 2003 as affected too. Version 2003 is the latest Word Viewer available.
Q: Is Microsoft Works Suite affected too?
A: As mentioned, the three latest Works versions are listed as affected because they include MS Word.
Q: Is Microsoft Word for Mac (versions X and 2004) affected in this vulnerability?
A: Again, Macintosh versions of Word are affected.
Q: I am using non-English version of Microsoft Word. Am I affected?
A: As of 7th December it is impossible to say. Exact information about affected language versions is not available yet. Normally Microsoft issues fixes for all language versions of Office products.
UPDATE 9th Dec:
According to SecurityFocus’s BID21451 (SecurityFocus is a subsidiary of Symantec Corp.) the following Microsoft Word versions are separately listed as affected:

- Microsoft Word 2000 Korean Version
- Microsoft Word 2000 Japanese Version
- Microsoft Word 2000 Chinese Version

It is possible that target organizations of targeted attacks are using these language versions. This entry will be updated when the Trojan description writeup from Symantec is available.

It is recommended to avoid opening Word documents from untrusted sources on English-language and non-English systems.

Q: Where are the official Microsoft documents related to this case located?
A: Possible upcoming notification information published by Microsoft is located at Microsoft Security Response Center (MSRC) Blog site. The address of this site is blogs.technet.com/msrc/default.aspx. The official security advisory was published at Microsoft Security Advisories section of Microsoft TechNet Security site, www.microsoft.com/technet/security/advisory/default.mspx.
Link to the advisory #929433:
www.microsoft.com/technet/security/advisory/929433.mspx

NOTE: See the FAQ entry related to upcoming monthly security updates later.

Q: How can I protect from this vulnerability?
A: The best advice is to avoid opening Word documents from unknown sources and Word documents received unexpectedly from trusted sources.
Q: Is the exploit code of this vulnerability publicly released?
A: No.

Q: Is there PoC-type sample file of this vulnerability publicly available?
A: No. Some anti-virus vendors have a malicious .DOC file for generating protection against the threat.
Q: Is it safe to open any .DOC files any more?
A: It is very important not to open Word files from unknown sources: e-mail, Web pages, instant messenger etc.

Q: Are there any visual effects informing about the infection?
A: Information N/A.

Q: Are there any changes to file system made by related malwares?
A: No. According to recent knowledge only changes to Registry have been done.
When the related Trojan Troj/DwnLdr-FXG activates it will inject code into the process “Shell_TrayWnd” and attempt to download code from a remote website. More details: www.sophos.com/virusinfo/analyses/trojdwnldrfxg.html
Another Trojan horse Troj/DwnLdr-FXH, in turn, copies itself to [System]\wdfmgr32.exe file. More details: www.sophos.com/virusinfo/analyses/trojdwnldrfxh.html

Q: What are the names of malwares exploiting this vulnerability?
A: There are reports about two separate Trojans from the same family.
The following names are being used:

Sophos:
Troj/DwnLdr-FXG [Trojan]
Troj/DwnLdr-FXH [Trojan]

Trend Micro (waiting for confirmation):
TROJ_TINY.DU [Trojan]
(alias of Troj/DwnLdr-FXG, writeup N/A)

F-Secure:
Trojan-Downloader.Win32.Cryptic.ec [Trojan]
Trojan-Downloader.Win32.Cryptic.f
[Trojan]
Trojan-Downloader.Win32.Tiny.y
[Trojan]
(descriptions N/A)

Panda:
Protection with TruePrevent mechanism
(malware name or description N/A)

McAfee:
Downloader-AZP [Trojan]
Downloader-AZQ
[Trojan]
Downloader-AZR
[Trojan]

Symantec:
Trojan.Mdropper.T [Trojan]

Microsoft OneCare:
TrojanDownloader:Win32/Agent.BBX [Trojan]
TrojanDownloader:Win32/Agent.BBY
[Trojan]
TrojanDownloader:Win32/Agent.BBZ
[Trojan]
(descriptions N/A)

It is worth of noticing that 0-day vulnerabilities in Office programs are widely used to industrial espionage during last months.

Q: My AV vendor doesn’t list names of these types at their Web pages. How do I know my AV software protects me?
A: It’s possible that anti-virus software has protection to this threat, but malware database at their Web page doesn’t include specific write-up yet because of missing sample etc. The best way is to check the situation from your AV vendor.
This document will be updated to include new names assigned.

Q: Is there Internet Storm Center documents available about the issue?
A: Yes. Internet Storm Center (ISC) has released the following Diary entry: isc.sans.org/diary.php?storyid=1913

Q: Are there any CERT advisories released?
A: CERT Coordination Center has released its Vulnerability Note alert VU#167928 on 6th December at www.kb.cert.org/vuls/id/167928.
Additionally, several national CERT units have released their own alerts.

On 19th Dec US-CERT released new Currect Acticity entry.

Q: What is the CVSS Severity of this vulnerability?
A: The CVSS (Common Vulnerability Scoring System) score is 7.0 (High).

Q: Is there CME name to this related malware available?
A: No. The Common Malware Enumeration (CME) project has not assigned an identifier to this malware.

Q: Does Windows Live Safety Center detect this malware?
A: This information is not available. UPDATE 8th Dec: Microsoft says Windows Live OneCare Safety Scanner (in Beta phase) detects this malware.
Q: What is the file name of malicious documents used in related infection cases?
A: This information is not available.
Update: On 14th Dec Symantec reported that the file name contains Japanese characters.

Q: Is there information about file size used?
A: No. File attachment size information is not available.
Update: Reportedly the file size varies.

Q: What is the content of the Word document?
A: Again, information N/A.
Q: Is any user interaction needed when opening malicious Word file?
A: No. Opening a malformed Word file triggers a vulnerability with malicious code embedded inside the Word document.

Q: Is it safe to open Word documents coming from trusted, known sender during next days?
A: The answer is yes and no. These days you can’t trust that the sender information included to message Word file attached is truthful (if the attacker uses e-mail attack vector too). If You are not sure, You can always call to the sender if e-mail including .DOC attachments arrives unexpectedly.
Additionally, it is possible to include malicious Microsoft Word files as embedded files to Microsoft Excel files, or Microsoft PowerPoint files.

Q: Is it possible that malicious Word files (.DOC file extension etc.) are located at Web pages too?
A: Yes. It is possible that attackers can locate malformed Word files to Web pages. Some other possible attack vectors are IM applications, USB sticks, removable drives, floppy disks etc.

Q: Does the filtering Word documents at network perimeter protect me?
A: No. Normally Windows will open files with file header information, i.e. filtering by extension is not the way you can trust.

Q: What is the vulnerable component affecting this vulnerability?
A: This information is not available, but probably the error is in Winword.exe executable itself.

Q: Is this the first time when a malformed string in Word document can cause the code execution state?
A: No. Microsoft Office patches released in October (MS06-062 and MS06-060) included fixes to this type of issues too.

Q: When the fix to this vulnerability is expected?
A: It is impossible to say. Microsoft has informed that they are developing a security update for this vulnerability. The next monthly security updates are scheduled to 12th December, 2006.
According to Microsoft notification upcoming monthly updates include only Microsoft Security Bulletins affecting Windows and Visual Studio. Link to the Advance Notification program page is www.microsoft.com/technet/security/bulletin/advance.mspx.
Update: There was no fix included, MSRC Blog confirmation is located here.

Q: Is there CVE name available to this issue?
A: Yes. The Common Vulnerabilities and Exposures project (cve.mitre.org) has released the following CVE candidate:
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5994

Q: Is there any changes in widely known Internet threat meters of security vendors?
A: Yes. Symantec’s ThreatCon meter has raised to level 2/4 (Elevated):
www.symantec.com/avcenter/threatcon/learnabout.html

IBM ISS X-Force’s AlertCon (Current Internet Threat Level) is at level 2/4 (Increased vigilance) too:
https://gtoc.iss.net/issEn/delivery/gtoc/index.jsp

Link to the related alert: iss.net/threats/W32.Downloader.MSWord.929433.html

McAfee’s ThreatCenter Global Threat Condition is currently at level 2/4 (Elevated) too:
www.mcafee.com/us/threat_center/default.asp

Q: Is there rootkit techniques included to malwares exploiting this vulnerability?
A: There is no information available.

Q: Is there information about the origin of related malware authors?
A: No.

Q: Are there any other technical references released?
A: Yes. McAfee advisory Microsoft Word 0-Day Vulnerability I and eEye Zero-Day Tracker EEYEZD-20061205 have been released.

(c) Juha-Matti Laurio, Finland (UTC +2hrs)

Revision History:
1.0 07-12-2006 Initial release
1.1 08-12-2006 Updated document and some minor fixes
1.2 08-12-2006 Added information about Windows Live OneCare protection
1.3 08-12-2006 Added F-Secure’s protection information
1.4 09-12-2006 Added information about the state of Internet threat meters, added Panda Software information, updated document
1.5 10-12-2006 Minor fixes
1.6 11-12-2006 Added McAfee’s protection information and hyperlinks, added more technical references. Added Microsoft OneCare protection information.
1.7 12-12-2006 Added new information about various file sizes
1.8 13-12-2006 Updated document, added MSRC reference to confirm the unpatched state and added Symantec protection information.
1.9 14-12-2006 Added information about spreading mechanism, updated hyperlinks, formatted document
2.0 21-12-2006 Updated document

2.1 17-02-2007 Added information about fix included to MS07-014

Local Finnish time is being used.

Share