Unofficial Registry Script Blunts MS Word Zero-Day AttackBy Ryan Naraine | Posted 05-22-2006
In the absence of a patch for a dangerous code execution hole in Microsoft Word, security experts are recommending that Windows users implement software restriction policies to blunt the effects of ongoing zero-day attacks.
Just days after anti-virus vendors warned that malicious hackers with links to China and Taiwan were exploiting the vulnerability to launch attacks against select business targets, independent researcher Matthew Murphy says Windows XP users can mitigate the risk by simply using the "Basic User" SRP (software restriction policy).
"By using the Basic User SRP, users can launch Microsoft Word without the ability to write to certain registry and file system locations that the in-the-wild malware requires access to," Murphy said in an entry on the SecuriTeam blog.
"This is a stop-gap measure based on the threat profile of the malware at this time and is only necessary if you're still running interactively as an administrator," he added.
"If you are, it should be a priority to change that if at all possible," said Murphy, a security researcher who has worked closely with Microsoft's security response center in the past.
"[O]rganizations and individuals who follow best-practice and log on interactively as non-administrators are currently not at risk. Based on feedback, I should also note that you are at less risk from any exploit of this vulnerability if the vulnerable application is running without full privilege," he added.
Murphy also released a registry script that sets a Software Restriction Policy that runs any instance of 'winword.exe' with the 'Basic User' policy.
Read the full story on eWEEK.com: Unofficial Registry Script Blunts MS Word Zero-Day Attack