Today we had an interesting sample shared with us. It was a Microsoft Word document which, when opened, was simply crashing Word. We tried using various combinations of Word versions, patches and languages, and in each case (with the exception of Office 2007) opening the document would cause Word to crash. After taking a closer look, we could see that the document contained shell code and three other pieces of malware. What was interesting about the document was that it wasn't in OLE format, meaning that it wasn't a standard Microsoft Office document.

After some investigation we determined that the document had actually been created using Word for Macintosh. Here you can see the difference between the header in an OLE (Windows) format document compared to that of a Mac format document:



(Click for larger image)

It was then that we had a "light bulb" moment, because we knew that just yesterday Microsoft had released a patch for a vulnerability in Word for Mac documents. (See Microsoft Security Bulletin MS07-060.) Taking a closer look at that vulnerability, we confirmed that this document was in fact exploiting the same vulnerability.

It seems that the trend for exploiting vulnerabilities around the same time as Patch Tuesday continues. Microsoft themselves confirm in their advisory that they have seen this issue exploited in the wild.However, in our experience the exploitation of such vulnerabilities tends to be very targeted in nature. The good news is that the default configuration in Microsoft Office 2007 and Office 2003, Service Pack 3 will not allow you to open some older Office file formats, including Office for Macintosh documents (see MS KB922850 for further details). We're continuing to investigate the behavior of the exploit on other Office versions.

Symantec Antivirus products will detect the malicious document as Trojan.Mdropper.Z. The dropped files are detected as Trojan.Dropper, Backdoor.Trojan and Hacktool.Rootkit.

Thanks to Elia Florio for the analysis!