The AV coverage of 12122006-djtest.doc PoC extremely poor
December 14th, 2006 by Juha-Matti, Filed under: Commentary, Corporate Security, Microsoft, Virus, Web
This a quite negative title is based to the current result of VirusTotal scan of Word 0-day PoC file 12122006-djtest.doc. This Proof of Concept file was publicly released on Tuesday 12th December [I'm not linking to the exploit/PoC site].
Complete scanning result of “12122006-djtest.doc” submitted to VirusTotal.com recently is the following:
–clip–
Antivirus Version – Update Result
AntiVir 7.3.0.15 – 12.13.2006 no virus found
Authentium 4.93.8 – 12.13.2006 no virus found
Avast 4.7.892.0 – 12.13.2006 no virus found
AVG 386 – 12.13.2006 no virus found
BitDefender 7.2 – 12.14.2006 Exploit.MSWord.Gen.2
CAT-QuickHeal 8.00 – 12.13.2006 no virus found
ClamAV devel-20060426 – 12.14.2006 no virus found
DrWeb 4.33 – 12.13.2006 no virus found
eSafe 7.0.14.0 – 12.13.2006 no virus found
eTrust-InoculateIT 23.73.85 – 12.14.2006 no virus found
eTrust-Vet 30.3.3248 – 12.13.2006 no virus found
Ewido 4.0 – 12.13.2006 no virus found
Fortinet 2.82.0.0 – 12.14.2006 no virus found
F-Prot 3.16f – 12.13.2006 no virus found
F-Prot4 4.2.1.29 – 12.13.2006 no virus found
Ikarus T3.1.0.26 – 12.13.2006 no virus found
Kaspersky 4.0.2.24 – 12.14.2006 no virus found
McAfee 4918 – 12.13.2006 no virus found
Microsoft 1.1804 – 12.14.2006 no virus found
NOD32v2 1920 – 12.13.2006 no virus found
Norman 5.80.02 – 12.13.2006 no virus found
Panda 9.0.0.4 – 12.13.2006 no virus found
Prevx1 V2 – 12.14.2006 no virus found
Sophos 4.12.0 – 12.13.2006 no virus found
Sunbelt 2.2.907.0 – 11.30.2006 no virus found
TheHacker 6.0.3.131 – 12.10.2006 no virus found
UNA 1.83 – 12.13.2006 no virus found
VBA32 3.11.1 – 12.13.2006 no virus found
VirusBuster 4.3.15:9 – 12.13.2006 no virus found
–clip–
Only one vendor of 29 has a protection as Exploit.MSWord.Gen.2.
It is worth of noticing that there are seven fingerprints dated on 14th Dec. When submitting the Word document to the service six hours ago there was no detections available.
The title of the exploit release states that it is a Code Execution issue, but the release doesn’t refer to MSRC Blog entries etc. Additionally, there is no CVE included.
According to the recent state of anti-virus protection I see this PoC related to the newer zero-day issue.
It is interesting that on Sunday 10th Dec McAfee reported this issue via existence of PWS-Agent.g Trojan. They reported that DAT4916 include protection:
Minimum DAT: 4916 (12/11/2006)
(link to the McAfee writeup included to my previous writing). Related to this PoC released on 12th Dec the most recent DAT files 4918 don’t have the protection, however.
If someone can confirm the target vulnerability of 12122006-djtest.doc please let me know.
UPDATE: Due to the latest conclusion this is a totally new, third unpatched vulnerability in Word. McAfee AVERT Labs has confirmed this too.
UPDATE #2: This vulnerability has been confirmed by US-CERT now:
Microsoft Word malformed pointer vulnerability and is public CVE-2006-6561.
Subscribe
Pingback: SecuriTeam Blogs » These two weeks of Word flaws - can we survive?