After December’s Patch Tuesday, yet another vulnerability surfaces, this time targeting one of the Microsoft’s more usual members: WordPad. Trend Micro detects this vulnerability as TROJ_MCWORDP.A.
The exploit works by using a specially-crafted .DOC, .WRI, or .RTF file to take advantage of the WordPad vulnerability, thereby causing the said application to crash. This crash may then allow a remote malicious user to take control of an affected system. Microsoft has already issued a bulletin regarding the issue, which can be found at the following link:
- Microsoft Security Advisory (960906) – Vulnerability in WordPad Text Converter Could Allow Remote Code Execution
What makes the malware exploiting this bug more interesting is that it exhibits a VMware-checking routine. If it detects that it is being run inside a virtual machine, it does not continue to exploit the affected system. Otherwise, it drops another malicious file detected as BKDR_AGENT.VBI. This backdoor opens a random port to allow hackers to connect to a system and once successful, they are able to execute commands.
WordPad is Microsoft’s initial word processor, especially on a fresh install, but its presence eventually goes unnoticed once users install a more recognized word-processing suite like MS Office or Open Office. However, this seemingly trivial piece of software has had patches made for it in the past, so it may not come as a surprise that it has been exploited again.
This exploit is just one of a series to affect Microsoft immediately after it released its monthly security updates. A zero-day bug in Internet Explorer was actively exploited just days ago to infect users with information-stealing malware. Mass SQL injections exploiting the same vulnerability were soon discovered affecting a Taiwanese search engine and a Chinese sporting goods site.
Our engineers are now also still analyzing a proof-of-concept threat that exploits yet another zero-day flaw, this time in Microsoft’s SQL Server. Users are advised to apply patches once they are made available.
The Trend Micro Smart Protection Network provides protection to Trend Micro customers against this recently discovered flaw, yet caution is urged since it remains unpatched by Microsoft.