The trend for exploiting vulnerabilities around the same time as Microsoft's monthly Patch Tuesday update continues.

Hackers have crafted a new Word exploit based on a memory corruption vulnerability (http://secunia.com/advisories/27151) addressed by Microsoft on Tuesday. The flaw (http://www.microsoft.com/technet/security/Bulletin/MS07-060.mspx) was already exploited prior to the release of the fix, according to Microsoft.

Until this week the critical (http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3899) flaw had only been exploited in targeted attacks (http://isc.sans.org/diary.html?storyid=3480), but it's now getting wider play.

Symantec reports (http://www.symantec.com/enterprise/security_response/weblog/2007/10/patch_tuesdayexploit_wednesday.html) that the vulnerability is now being exploited in more widespread attacks. Malformed Word documents doing the rounds contain shell code and three pieces of malware. The malware package is unusual in that it was created using the Word for Macintosh format instead of the standard Windows (OLE) format.

Despite the formating, the malicious Word documents are actually targeted at infecting Windows PCs, according to a preliminary analysis by Symantec.

Detection against the malware - dubbed the Mdropper-Z Trojan (http://www.symantec.com/business/security_response/writeup.jsp?docid=2007-101014-1321-99) - has been added to Symantec's security software. It also detected the separate malware files contained in the payload of the maliciously-constructed word files as Trojan-Dropper, Backdoor-Trojan, and Hacktool-Rootkit.

The use of older file formats in the exploit could backfire on hackers. "The good news is that the default configuration in Microsoft Office 2007 and Office 2003, Service Pack 3 will not allow you to open some older Office file formats, including Office for Macintosh documents," Symantec notes. ®

Related stories

Shrinking patch windows hit by automated attacks (21 April 2008)
http://www.channelregister.co.uk/2008/04/21/automated_exploit_creation/
ActiveX update stars in Patch Tuesday critical quintet (9 April 2008)
http://www.channelregister.co.uk/2008/04/09/april_patch_tuesday/
Cisco hops onto patching treadmill (6 March 2008)
http://www.channelregister.co.uk/2008/03/06/cisco_patch_cycle/
MS preps critical Vista patch for Tuesday (4 January 2008)
http://www.channelregister.co.uk/2008/01/04/ms_patch_tuesday_pre_alert/
Ichitaro vuln used to launch Trojan (18 December 2007)
http://www.channelregister.co.uk/2007/12/18/ichitaro_trojan/
Microsoft squeezes out early release of 2007 Office SP1 (12 December 2007)
http://www.channelregister.co.uk/2007/12/12/microsoft_office_sp1/
Three critical fixes star in Patch Tuesday update (12 December 2007)
http://www.channelregister.co.uk/2007/12/12/dec_black_tuesday_update/
Microsoft readies seven patches for Tuesday (6 December 2007)
http://www.channelregister.co.uk/2007/12/06/microsoft_announces_7_patches_for_december/
Databases still open to basic attack (15 November 2007)
http://www.channelregister.co.uk/2007/11/15/unprotected_databases_survey/
Windows update offers defence against shell bug (14 November 2007)
http://www.channelregister.co.uk/2007/11/14/windows_novemeber_patch_update/
Windows update brings down TV newscast (11 October 2007)
http://www.channelregister.co.uk/2007/10/11/windows_update_brings_down_newscast/
Word vuln stars in Patch Tuesday litter (10 October 2007)
http://www.channelregister.co.uk/2007/10/10/october_patch_tuesday/
Doomwatchers sound Windows and IE vuln alarm (19 September 2007)
http://www.channelregister.co.uk/2007/09/19/new_vulnerability_reports/
France blames China for hack attacks (12 September 2007)
http://www.channelregister.co.uk/2007/09/12/french_cyberattacks/
Senior execs targeted in 'precision' malware attacks (2 July 2007)
http://www.channelregister.co.uk/2007/07/02/personal_malware/
Microsoft probes new Office vulnerability (15 February 2007)
http://www.channelregister.co.uk/2007/02/15/office_vuln/
Trojan targets unpatched Word flaw (again) (11 December 2006)
http://www.channelregister.co.uk/2006/12/11/0-day_word_flaw/
Targeted Trojan attacks on the rise (15 October 2006)
http://www.channelregister.co.uk/2006/10/15/targeted_trojan_attacks_on_the_rise/
Trojan targets 0-day Word vuln (5 September 2006)
http://www.channelregister.co.uk/2006/09/05/ms_office_trojan/