Last Thursday, McAfee Avert Labs picked up another zero-day vulnerability targeting the JustSystems Ichitaro office application in the wild, the fourth since August 2006. Targeted attacks were directed at multiple enterprise and government users of Ichitaro in Japan, using two versions of a maliciously crafted Ichitaro document. Both exploits install the same BackDoor-DLI Trojan payload.

Now, Ichitaro, unlike Microsoft and being a local application, is not a popular area of interest among vulnerability researchers. The most high-profile vulnerabilities reported in 2007 would most likely be Internet Explorer and popular image and media players (e.g., QuickTime RTSP vulnerability, Exploit-AniFile.c–both with high success rates in the wild). In fact, Ichitaro caught the eye of vulnerability research labs only following a series of zero-day attacks. Prior to Exploit-TaroDrop.d, the most recent incident, in August 2007, was followed by the first three vulnerabilities publicized by a commercial research lab (http://www.ipa.go.jp/security/vuln/200710_Ichitaro.html), which was promptly followed up by the vendor with the latest security patches.

Notably, the bad guys did not leverage the reported vulnerabilities in the latest attacks. Instead, they fueled the attack with their own zero-day vulnerability, which was unknown to the world prior to the attack. Not following the herd, they did not use a Microsoft or QuickTime vulnerability. Their objectives are clear: only specific targets, and using specific exploits against the weakest links available, not what is popular.

The latest security patch for Exploit-TaroDrop.d was already released from the vendor on last Friday.