New Exploit for Patched Office Hole

Thursday, February 16, 2012 @ 01:02 PM gHale

Why teach an old dog new tricks, when the old tried and true still work? In the case of Microsoft Office, there is a new trick to take advantage of an old vulnerability.

A specially crafted Trojan exploits a previously patched vulnerability, said researchers at Symantec. The attack occurs when a user opens up an email that contains a Microsoft Word file with a malicious DLL (Dynamic Link Library) file.

Malware Haunts Fortune 500
Trojan Targets Contractors
Apple Security Fix for OS X
Struggle to Secure Mobile Devices

“The exploit makes use of an ActiveX control embedded in a Word document file,” said Takayoshi Nakayama, a researcher at Symantec. “When the Word document is opened, the ActiveX control calls fputlsat.dll which has the identical file name as the legitimate .dll file used for the Microsoft Office FrontPage Client Utility Library.”

Nakayama said once the attacker exploits this flaw, he is free to load up an infected system with malware. He also advises if a user sees an email attachment with the file name ftutlsat.dll, proceed with caution.

And an email with this type of attachment should be easy to spot, Nakayama said.

“The files stand out from the common targeted attacks because a Microsoft Word document file is paired with a .dll file. Usually, targeted attacks involve one file which drops malware. The pair would most likely arrive to the target wrapped in an archive file attached to an email. It is common to see document files sent by email inside an archive, but typically, you would not see .dll files ever sent by email.”

Microsoft previously fixed the exploit, seen in the wild by Symantec, in September’s Security Update, bulletin MS11-073.

Nakayma said because the bulletin was only “important” by Microsoft, users may have over looked it.

Leave a Reply

You must be logged in to post a comment.