Results 1 to 3 of 3

Thread: ** HEADS UP ** Microsoft Office Vulnerability - ACTIVELY BEING EXPLOTED

  1. #1

    Exclamation ** HEADS UP ** Microsoft Office Vulnerability - ACTIVELY BEING EXPLOTED

    A very well written document on this exploit situation (place where I’ve taken information from)

    http://isc.sans.org/diary.html?storyid=6778


    ** HEADS UP ** Microsoft Office Vulnerability - ACTIVELY BEING EXPLOTED.

    Second heads up for in 2 weeks but this one is more actively being exploited. I SAY AGAIN THIS VULNERABILITY IS ACTIVELY BEING EXPLOTED.

    Lot of threat con’s have gone up to stage 2 or 3, depending on their measurement techniques. However the point is everyone has raised the BAR of current threat level.

    Advisory: http://www.microsoft.com/technet/sec...ry/973472.mspx
    KB article: http://support.microsoft.com/kb/973472
    SRD blog: http://blogs.technet.com/srd/archive...erability.aspx
    MSRC blog: http://blogs.technet.com/msrc/archiv...-released.aspx

    Product’s affected :
    Microsoft Office XP Service Pack 3;
    Microsoft Office 2003 Service Pack 3;
    Microsoft Office XP Web Components Service Pack 3;
    Microsoft Office Web Components 2003 Service Pack 3;
    Microsoft Office 2003 Web Components for the 2007 Microsoft Office system Service Pack 1;
    Microsoft Internet Security and Acceleration Server 2004 Standard Edition Service Pack 3;
    Microsoft Internet Security and Acceleration Server 2004 Enterprise Edition Service Pack 3;
    Microsoft Internet Security and Acceleration Server 2006;
    Internet Security and Acceleration Server 2006 Supportability Update;
    Microsoft Internet Security and Acceleration Server 2006 Service Pack 1; and
    Microsoft Office Small Business Accounting 2006.

    A FIX IT TOOL IS AVAILABLE :
    http://go.microsoft.com/?linkid=9672747
    FOR ALL AD’ admins out there :
    http://technet.microsoft.com/en-us/l.../bb457006.aspx
    ** USING AN ALTERNATIVE BROWSER (OTHER THEN IE) IS RECOMMENDED **

    List of domains currently exploiting the vulnerability can be found here:

    http://isc.sans.org/diary.html?storyid=6739
    Be sure to block them at gateway level.

    Attack vectors used to exploit this vulnerability.
    1. The now known public attempts to exploit the vulnerability, attackers just modify the code with a fresh download and payload to slightly modified malware.
    2. A .cn domain using a heavily obfuscated version of the exploit - which may become an attack kit (think MPACK)and is similar to recent DirectShow attacks.
    3. A highly targeted attack against an organization earlier today who received a Microsoft Office document with embedded HTML. This one was particularly nasty, it was specifically crafted for the target - with the document being tailored with appropriate contact information and subject matter that were specific to the targeted recipient. Analysis of the document and secondary payload found the attacker used a firewall on the malicious server so that all IP traffic outside of the targeted victim's domain/IP range would not reach with the server.
    Parth Maniar,
    CISSP, CISM, CISA, SSCP

    *Thank you GOD*

    Greater the Difficulty, SWEETER the Victory.

    Believe in yourself.

  2. #2
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,188
    Hmmm,

    I wonder if it would work if you use Open Office 3.1?....................somehow I doubt it.

    I am also curious as to what would happen if you used the MS Excel viewer as your default application. If that isn't privileged enough it might present a possible future solution, at least for those who don't normally use Excel interactively.

    It is here for those who might be interested:

    http://www.microsoft.com/downloadS/d...displaylang=en

    If you have to deliberately open Excel to activate the malware then that would represent a substantial mitigation.

    I also wonder what would happen if you just downloaded the spreadsheet and opened it offline?

    Given that the IE + MS Office combination is so complex, I am afraid that these sorts of exploit will be an ongoing thing.

    As for the list of domains..........................would you click on them?

  3. #3

    As for the list of domains..........................would you click on them?
    I'm an "analyst" now in the company.. So i play in the LAB more.. Anyway I've proposed "closed" approach where everything is closed by default and opened as needed. So these sites are way beyond accessible..

    As for clicking on them;

    I have 2 VM's running XP and Vista with Office 2003 and 2007 (sp 1 and 2 on second vista machine) running IE8 .. I'm recording network traffic and processor execution.. I suck at all of this but i'll be taking all of this data to someone who will explain and in a way make me understand how these site's exploit ..
    Parth Maniar,
    CISSP, CISM, CISA, SSCP

    *Thank you GOD*

    Greater the Difficulty, SWEETER the Victory.

    Believe in yourself.

Similar Threads

  1. August security hotfixes
    By mohaughn in forum Microsoft Security Discussions
    Replies: 1
    Last Post: August 9th, 2005, 07:37 PM
  2. October MS updates
    By mohaughn in forum Microsoft Security Discussions
    Replies: 2
    Last Post: October 13th, 2004, 04:31 AM
  3. Securing Windows 2000 and IIS
    By spools.exe in forum Microsoft Security Discussions
    Replies: 0
    Last Post: September 15th, 2003, 09:47 PM
  4. The Worlds Longest Thread!
    By Noble Hamlet in forum AntiOnline's General Chit Chat
    Replies: 1100
    Last Post: March 17th, 2002, 09:38 AM
  5. Lol Now I Know Why Everyone Hates Microsoft!!!
    By NUKEM6 in forum Non-Security Archives
    Replies: 10
    Last Post: January 24th, 2002, 06:21 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •