Friday, February 10, 2012

Trojan "In-the-Wild" Exploits Patched Microsoft Office Vulnerability

Windows Update IconOnce again, we’re being reminded how important it is to keep your computer’s operating system current with the latest updates and patches.

If you don’t, you may find yourself in hot water when you encounter an attack that exploits a vulnerability that wouldn’t have otherwise existed.

Researchers over at Symantec stumbled across a targeted attack that attempts to exploit a Microsoft Office vulnerability that Microsoft issued a patch for back in September (see security bulletin MS11-073).

In the attack, the victim would receive a zip file – typically named “” – via email containing two files: a Word document and a DLL file, “ftputlsat.dll.” It’s a rather interesting combination given that DLL files are rarely sent by email and the malicious DLL file carries the same name of a legitimate file that’s used for the Microsoft Office FrontPage Client Utility Library.

Microsoft Office Vulnerability Exploit Zip FilesImage Credit: Symantec

When executed, Symantec’s researchers found that the exploit makes use of an ActiveX control embedded in the Word doc.

“When the Word document is opened, the ActiveX control calls fputlsat.dll which has the identical file name as the legitimate .dll file used for the Microsoft Office FrontPage Client Utility Library.” Joji Hamada explained in a blog post published on Thursday, “If the exploit is successful, malware is dropped onto the system.”

Once the attack has been carried out, the fputlsat.dll file is replaced with “Thumbs.db”, which is commonly created by Windows when thumbnail view is used and is typically hidden from view.

Symantec identifies the Word doc used in this attack as "Trojan.Activehijack."

Don't Leave Your System Vulnerable - Update Your OS!

To avoid being hit by this attack, users are advised to:

  • Be wary of emails that contain DLL files. (Do not download or open files coming from an unknown/untrusted sender).

  • Keep their system patched and protected with OS updates.

  • Always run antivirus software and make sure the virus definitions are current.

Don’t miss out on the latest tech news and computer security alerts! Follow us on Twitter at @hyphenet,  “Like” us on Facebook or add us to your circle on Google+.

No comments:

Post a Comment