E-mail attacks target unpatched Word hole

F-Secure has been tracking a series of sophisticated, very targeted attacks against large European corporations in recent months. All have used malicious Word file attachments to install malicious programs on corporate networks. The attacks, sometimes referred to as "spear phishing" attacks, use e-mail messages that appear to come from within a company, with spoofed sender addresses and even faked corporate letterhead information. The messages are sent to employees within the company, who are tricked into opening the attachment, believing it comes from a colleague, Hyppönen said.

Free IT resource Virtualization Insights from Top Experts - Learn how virtualization gets real! Sponsored by Dell Free IT resource TechNet: More ways to know it, share it, and keep it running. Sponsored by Microsoft

Microsoft Word and other Office applications are a good target, because they are ubiquitous on corporate computers, and because companies often patch them far less frequently than the Windows operating system itself, he said.

"Its not unusual to have a fully patched Windows system running a version of Word that hasn't been patched for a year or more," he said.

Symantec advised customers to block Microsoft Word document attachments in e-mail and said users should use "extreme caution" when they receive an unexpected Microsoft Word attachment.

Until signatures are developed for the latest Word exploit, gateway and desktop antivirus software will not be able to detect it. However, attacks that use older exploits should be stopped by most antivirus products, Hyppönen said.

Attacks that target applications are becoming more common. This marks a change from recent years, in which the most dangerous attacks and worms focused on vulnerable operating system and network services such LSASS (Local Security Authority Subsystem Service), RDP (Remote Desktop Protocol), and others.

In March, Microsoft patched seven critical holes in the Microsoft Office suite, which includes Microsoft Word, which could have allowed remote code to be run on vulnerable Windows systems. (http://www.microsoft.com/technet/security/Bulletin/MS06-012.mspx.)

The latest vulnerabilities in Office applications are different from an earlier generation of threats, like the "Melissa" virus, which used a loosely secured macro programming language in Word to propagate. The new attacks target holes in the applications themselves to take control of Windows systems, which can then be mined for sensitive information or used as "zombies" to send out spam, distribute malicious code or launch denial of service (DoS) attacks.

Companies commonly blocked Word attachments in the days of "Melissa," but restrictions may have eased in recent years, as Macro viruses faded into the history books and malicious activity shifted elsewhere, Hyppönen said.