There’s a newly discovered vulnerability in Microsoft Word.
The worst part? Its discovery resulted directly from the fact that people are
exploiting it.


A new zero-day flaw has surfaced in Microsoft Word. According
to a May 18
post on SANS’ Handler’s Diary
, a highly targeted attack has appeared, tipping
off investigators to a previously unknown vulnerability in Word.

For those who aren’t familiar with the term, a zero-day
exploit is one that results in actual attacks before researchers discover it
and add it to antivirus signature databases. That means that antivirus software
offers little or no protection against a zero-day exploit—making it extremely

However, while this is a new threat, so far it hasn’t
resulted in widespread attacks. According to, the initial attack targeted a
Japanese government office

By design, the attack appears as if it’s an internal memo,
and antivirus software doesn’t catch it. According to Symantec, the attack can
bypass spam filters.

Symantec has designated the Trojan Backdoor.Ginwui,
and it has designated the Word 2003 document Trojan.Mdropper.H.
The company has listed the details of a registry edit that can reportedly remove
the Trojan Backdoor.Ginwui. See the Symantec report
for details because this may change with new developments.

The payload of the Word attachment appears to be a Trojan,
but few details are available at this time. Opening the e-mail attachment displays
a message, but it also opens a backdoor in the background, which then pings an
IP address in Asia.

Opening the attachment in Word 2003 installs the Trojan. But
in Word 2000, the attachment causes the program to crash instead, and it
doesn’t run the payload.

So far, this is a very targeted attack. However, as attackers
learn how to exploit the new vulnerability, expect to see more widespread use
of the threat—at least until Microsoft’s next Patch Tuesday, scheduled for June

Other than opening all e-mails in Word 2000 to see which ones
crash the system, all you can do to protect users is to warn them to be
especially vigilant about opening unexpected Word attachments to e-mails. Of
course, I stand by my longtime warning to never use .doc file formats and stick
with the .rtf format as the default for your company. While there isn’t enough
information available about this new exploit to be certain this format would
block the attack, it’s highly likely because the .rtf format generally blocks
malicious Word macros.

Final word

Once again, I strongly urge every business to ignore the
Microsoft .doc default format in Word and instead change it to the .rtf format.
Taking this simple step will eliminate virtually all Word macro threats, and
most functionality will remain. I say “virtually all” simply because
I can’t be certain that there’s no possible way to exploit the .rtf format. I can’t
recall any offhand, and I would appreciate hearing from anyone who could remind
me if there are some I’ve forgotten.

Miss a column?

Check out the IT Locksmith Archive,
and catch up on the most recent editions of John McCormick’s column.

Want to stay on top of
the latest security updates? Automatically
sign up for our free IT Locksmith newsletter
, delivered each Tuesday!

John McCormick is a
security consultant and well-known author in the field of IT, with more than
17,000 published articles. He has written the IT Locksmith column for
TechRepublic for more than four years.