Microsoft .doc exploit
Jim Holland
mailscanner at mango.zw
Sat May 20 13:20:59 IST 2006
On Fri, 19 May 2006, Kevin Miller wrote:
> May be premature to block .doc files, but SANS reports on a zero day
> rootkit carried in a word doc.
> http://www.incidents.org/diary.php?storyid=1345 It's in the wild but
> was a targeted attack.
>
> Apparently no AV signatures yet. One to watch.
>
> Boy it's good to have a system that can block such things with a couple
> lines and 30 seconds of time! In the past couple of weeks I've had two
> different venders try to sell me their proprietary systems. They're
> wasting their time. MailScanner rocks!
Note that you would need to block this by file type (eg Microsoft Office
Document) not extension:
In most cases, Windows will call Word to open a document even if
the document has an unknown file extension. For example, if
document.d0c (note the digit "0") contains the correct file header
information, Windows will open document.d0c with Word.
Source: US-CERT Technical Cyber Security Alert TA06-139A
Regards
Jim Holland
System Administrator
MANGO - Zimbabwe's non-profit e-mail service
More information about the MailScanner
mailing list