Microsoft fixes Word 0-day flaw – related to Smart Tags

Microsoft has confirmed it will fix critical 0-day code execution vulnerability in Word, or in several Office products. According to their Advance Notification program details released yesterday, MS is planning to release

Two Microsoft Security Bulletins affecting Microsoft Office. The highest Maximum Severity rating for these is Critical.

Originally the schedule was informed via this MSRC Blog entry.
Major sources say this is Word vulnerability affecting Microsoft Word 2003 and Microsoft Word 2002 (so-called Word XP). But Dave Aitel dropped a comment three weeks ago:

It’s always possible the “Word” bug is really a PPT or Excel bug.

In May, already, Mr. Aitel’s Florida based Immunity Inc. company generated a working PoC saying this flaw is related to Microsoft Office Smart Tags implementation.

This information was disclosed via their Partner’s Web page:

-> CANVAS Modules and Proof of Concepts

The first entry from May 29th says ‘Proof of Concept for the Microsoft SmartTag bug (still unpatched)’. Interesting document name; wordmagic_may29.doc.

This PoC code is available only as part of the Immunity Partner program; it is not available to the public.

At the same time Symantec published a new write-up about .C variant of Ginwui malware, calling it as Backdoor.Ginwui.C. This Ginwui variant uses different ‘target’ domain now. It communicates to, registered to Shenzhen COMEXE Communication Technology Co. Ltd. in China. .A and .B opened backdoor to and scfzf.xicp.[REMOVED].

One more conclusion:
A and B variants of Ginwui used rootkit techniques, variant .C doesn’t. I believe that the write-up is ready already, because it has same author than variant .B had.
Malformed Word document had new name as dropper file now; Mdropper.I. Symantec says document arrived has Japanese characters. Earlier names like PLAN.doc, PLANNINGREPORT5-16-2006.doc and FINAL.doc was in use. More information about the process is here and here [Advanced].

Maybe it’s time to discuss is disabling Smart Tags feature needed in organizations. MS has their instructions.

I’m not registered Immunity partner and have no connections to the company.
Several related references included to this posting.
Matthew Murphy’s registry fix is available as well.

Update 13th Jun: Microsoft says the following (MS06-027):

A remote code execution vulnerability exists in Word using a malformed object pointer.

Print Friendly, PDF & Email

Published by


Security consultant from Finland

Comments are closed.