Microsoft Advises Switching Word to 'Safe Mode'

Microsoft is advising people to run its Word application in "safe mode" to help guard against a Trojan horse that surfaced recently, though security experts on Wednesday said there still appears little cause for alarm.

"The good news is that it doesn't seem to be very widespread," said Graham Cluley, a senior technology consultant with United Kingdom antivirus company Sophos PLC. "There have been very, very few reports."

Damage Limited So Far

Researchers at F-Secure and Trend Micro also said the number of reported incidents remained low on Wednesday. Trend Micro rates the Trojan horse as "low risk" because, while the potential for damage is high, the impact so far has been small, said David Sancho, a senior antivirus engineer.

The Trojan horse surfaced last Thursday and arrives buried in a Word file attached to an e-mail message. It secretly installs software on a user's PC that could be used to execute remote commands, download other malware, or monitor keystrokes and gather passwords, among other mischief.

For the Trojan horse to do its work, however, users must first be tricked into opening the Word attachment. And the incidents reported so far suggest that hackers are still using the Trojan horse in a very targeted fashion rather than sending it in mass e-mail, said Erkki Mustonen, a security researcher at F-Secure.

The Finnish vendor received reports from a handful of European companies affected last week that were all in the same business area, Mustonen said. He declined to name the industry. The company received a few more reports this week, but "it seems to be pretty calm," he said.

The number of hacker groups using the Trojan horses appears quite small at this point, Mustonen said. "It seems they have been written by expert people," he said.

He advised businesses to monitor any suspicious traffic in their firewall coming from China. The Trojan horse may not have originated there, but it appears at least to be talking to a host server in that country, he said.

Safe Mode Workaround

Microsoft's Security Research Center is analyzing the vulnerability, which affects Microsoft Word XP and Word 2003. The company said it will release a patch with its next regular update, due June 13, or earlier if necessary.

In the meantime, Word's safe mode won't fix the vulnerability but will prevent the vulnerable code from being exploited, Microsoft said.

In safe mode, Word ignores toolbar customizations, changes to preferences can't be saved, and functions such as AutoCorrect and Smart tags are disabled.

The first step is to disable the Outlook feature that uses Word for editing e-mails. The second involves creating a new desktop shortcut that adds "/safe" to the Word command line. Detailed instructions are in the Workaround section in Microsoft Security Advisory (919637).

"For the sake of security I'd recommend doing it, even though it's a bit difficult," Sancho of Trend Micro said.

To comment on this article and other PCWorld content, visit our Facebook page or our Twitter feed.
Shop Tech Products at Amazon