Cyber criminals find new way to exploit old Office hole

It appears that cyberattackers have found a new way to take advantage of an old Microsoft Office hole.

Symantec researchers were the first to notice a specially crafted Trojan that exploits the previously patched vulnerability. The attack occurs when a user opens up an e-mail that contains a Microsoft Word file with a malicious DLL (Dynamic Link Library) file.


Related coverage:

5 ways to avoid getting caught in phishing scams

Duqu attacks Windows via fonts; fix could harm display


"The exploit makes use of an ActiveX control embedded in a Word document file," wrote Takayoshi Nakayama, a researcher at Symantec, in a blog post. "When the Word document is opened, the ActiveX control calls fputlsat.dll which has the identical file name as the legitimate .dll file used for the Microsoft Office FrontPage Client Utility Library."

Nakayama said that once this flaw has been exploited, an attacker is free to load up an infected system with malware. He also advises that if you see an e-mail attachment with the file name ftutlsat.dll, proceed with caution.

And an e-mail with this type of attachment should be easy to spot, according to Nakayama: "The files stand out from the common targeted attacks because a Microsoft Word document file is paired with a .dll file. Usually, targeted attacks involve one file which drops malware. The pair would most likely arrive to the target wrapped in an archive file attached to an email. It is common to see document files sent by email inside an archive, but typically, you would not see .dll files ever sent by email."

The exploit, recently seen in the wild by the security firm, had been previously fixed by Microsoft in September's Security Update, bulletin MS11-073. Nakayma warns that because the bulletin was only classified as "important" by Microsoft, it might have been overlooked.

To protect your system make sure bulletin MS11-073 has been applied.

inside gcn

  • HPE SGI 8600

    New supercomputers headed to DOD

Reader Comments

Mon, Feb 13, 2012

It's not a new exploit. The actual story says Symantec recently seen the exploit in the the wild. Please research before you make a claim.

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group