Microsoft is investigating a new flaw in the Windows operating system, while researchers have discovered a new Trojan that poses as a legitimate Word document.

Microsoft acknowledged the possible Windows vulnerability in its Security Response Center Blog last night, but didn't provide details about the hole, which it says it learned about via proof-of-concept code posted on the Web. An attacker could exploit the Windows hole using Internet Explorer; the user would activate the malware by clicking on an infected link.

The hole hasn't been exploited yet, Microsoft says. "We are not aware of any attacks attempting to use the reported vulnerabilities or of customer impact at this time," says a Microsoft spokesperson. But the spokesperson says the flaw may require a security advisory or a security update in one of its Patch Tuesday releases.

Separately, Sophos reported the discovery of a new Word Trojan, called Kukudro-A. The Trojan isn't exploiting any holes in Word, explains Gregg Mastoras, security analyst for Sophos. The exploit is a combination of a spam email posing as an Apple, HP, and Sony laptop sales pitch, and a malware executable. When you open the infected files, called prices.zip, apple_prices.zip, or sony_prices.zip, they launch my_Notebook.doc, the infected Word file with the "pricing" information. Once a user opens the file, the Trojan silently slips into his computer, and the user is none the wiser, Mastoras says.

About 35 percent of malware incidents reported to Sophos in the past 24 hours have included this virus, so there is evidence it's spreading, Mastoras says. Sophos, Symantec, and McAfee all have added protection for Kukudro-A. Symantec and McAfee classify it as a low risk.

According to Microsoft, the exploit targets an old vulnerability in Word that had been patched (Security Bulletin), so users with software that's up-to-date aren't at risk.

This is latest in a long line of security alerts, patches, and patches of patches that Microsoft has suffered in the past month. (See Microsoft Works Around Excel Bug .) And this isn't the first time Word has been targeted, nor its cousin Excel. "It looks like some malware authors are looking more into apps like Excel and Word and seeing what they can do, especially if they are doing targeted attacks," says Jonathan Singer, a Yankee Group analyst.

It's not difficult for an attacker to fold a Trojan into a Word file, Mastoras says. It just takes some social engineering (like a tempting spam message), and a victim willing to open an infected file.

Microsoft has gotten a bad rap with its software problems, and deservedly so, says David Pensak, CTO and founder of application security startup V.i. Laboratories. (See Startup Locks Down Apps.) "But they have a lot of fundamental design problems in their software… They made some [poor] decisions before people understood how evil the hackers are," he says.

Meanwhile, Microsoft isn't mincing words about its position on vulnerability disclosure. The software company earlier this week criticized a researcher's public disclosure of how to exploit a hole in a remote access vulnerability in Windows.

The company took a kindler and gentler tone today on the latest disclosure. "As always, Microsoft continues to encourage responsible disclosure of vulnerabilities to minimize risk to computer users," says the Microsoft spokesperson. "Microsoft supports the commonly accepted practice of reporting vulnerabilities directly to a vendor, which serves everyone's best interests. This practice helps to ensure that customers receive comprehensive, high-quality updates for security vulnerabilities without exposure to malicious attackers while the update is being developed."

— Kelly Jackson Higgins, Senior Editor, Dark Reading

Companies mentioned in this article: