Disagreement Over '0-Day' Word Worm
Last weekend's disclosure of an alleged security vulnerability in Microsoft Word 2000, exploited by a new version of an old worm, is raising questions over what constitutes the severity of an exploit. Is it the degree to which we know about it, or the number of systems out there it could possibly hurt?
A blog post last Sunday on Symantec's Web site characterizing the latest permutation of a months-old exploit as "zero-day" contributed to security firm Secunia raising its advisory rating to "extremely critical."
But Symantec itself, along with other firms, continue to rate the exploit -- the latest in a series of worms that drop backdoor payloads through a hole discovered in Word 2000 -- as "low" or "very low" severity.
Typically, a zero-day exploit is released into the wild and becomes active within 24 hours of reports of the vulnerability which it exploits. In the case of what Symantec classifies as Trojan.Mdropper.Q, reports of this latest permutation were recorded just within the past few days, but according to Symantec's own security advisory, fewer than three sites actually reported its existence.
Meanwhile, reports of earlier permutations have extended as far back as May 2005. The earliest version of the worm classified by Symantec, Trojan.Mdropper.B, exploited a Word 2000 macro-related vulnerability involving the name buffer, triggering an overflow that enabled the dropping of a backdoor package onto infected systems. That buffer overflow was first documented in November 2003, which would make version "B" a "one-and-a-half year exploit" rather than a zero-day.
But version "Q," according to Symantec, exploits a "previously undocumented vulnerability in Microsoft Word 2000," implying that later versions now make use of a different technique. That fact doesn't have much benefit for the worm itself, whose signature still registers as Trojan.Mdropper in Norton AntiVirus. The vulnerability does not affect Office XP or Office 2003.
Secunia's description of this new version refers to a "memory corruption error" that is thus far undocumented, but does not go into specifics. If the Word 2000 vulnerability is, in fact, undocumented, then this new "Q" version could be credited with bringing the problem to light.
Sophos currently classifies the worm as W32/MoFei-P, and explains that the payload it drops onto infected systems has the power to download files from the outside, delete files on the system, and log and capture screen commands -- typical of most backdoors. Currently, Sophos gives the worm a "low" prevalence rating, though it updated its virus definition files yesterday to help users identify it.
Graham Cluley, Sophos' senior technology consultant, told BetaNews this morning, "We're not seeing evidence of it spreading very widely at the moment. It does appear that it is exploiting an as-yet unpatched vulnerability in Microsoft Word, and I think that's why some people are describing it as critical. Obviously a day-zero hole in a widespread piece of software like Microsoft Word that is being exploited by malicious code raises the temperature for a lot of people."
A lot of people, perhaps, but not Cluley, who advises users simply not to open unsolicited Microsoft Word documents as a matter of everyday principle.
One could argue that the fact that no time passed between the worm's discovery and that of the vulnerability it exploits, could qualify it as a "zero-day exploit." But that term has typically been used to raise red flags about security issues whose public revelation leads to near-instantaneous dangers.
In this case, even the trusted security companies that brought this issue to light continue to rate its severity among the lowest of categories, which could leave some wondering whether leveraging a phrase generally synonymous with "red alert" is actually doing users a service.
Microsoft acknowledged to BetaNews that its security division was investigating a "possible vulnerability in Microsoft Word," but declined to call it an actual security flaw.
"In order for this attack to be carried out," a Microsoft spokesperson explained, "a user must first open a malicious Word document that is sent as an e-mail attachment or otherwise provided to them by an attacker." Microsoft does believe some type of attack is taking place, but is uncertain whether it's a new attack -- as Symantec and others claim -- or simply a rehash of an old scenario.
"Upon completion of this investigation, Microsoft will take the appropriate action to protect our customers, which may include issuing a security advisory or providing a security update through our monthly release process, depending on customer needs," the spokesperson added.