Slashdot Mirror

← Back to Stories (view on slashdot.org)

MS Word Zero-Day Exploit Found

Posted by ryuzaki0 on from the don't-do-any-work-today dept.

subbers writes "A zero-day flaw in Microsoft Word program is being used in an active exploit by sophisticated hackers in China and Taiwan, according to warnings from anti-virus researchers. The exploit arrives as an ordinary Microsoft Word document attachment to an e-mail and drops a backdoor with rootkit features when the document is opened and the previously unknown vulnerability is triggered. From the article: 'The e-mail was written to look like an internal e-mail, including signature. It was addressed by name to the intended victim and not detected by the anti-virus software.'"

13 of 396 comments (clear)

  1. In other news... by KrackHouse · · Score: 3, Informative

    Microsoft: Open source 'not reliable or dependable'

    --
    What if Digg added local news and a Slashdot inspired comment karma system? ---
    http://houndwire.com
  2. Re:Not overly bad, combined with some others bad. by Jimmy+King · · Score: 5, Informative

    You haven't done any computer support for non-technical people in a long time, have you? It's only been a couple years since I broke free from the shackles of technical support, so believe me when I say way too many people will open this without thinking twice.

  3. Re:Question by Fat+Idiot · · Score: 5, Informative

    Zero Day means that the vulnerability was previously unknown. Hence there are no days between dicovery of the vuln and dicovery of the exploit in the wild.

  4. Re:Question by Politburo · · Score: 2, Informative

    To me, in this context, zero-day has no meaning. It's used in the warez community to reference a download that is available the day the software is released (i.e., zero days after the release). You would also have 1-day, (n)-day, and in rare cases (negative)-day warez.

    I can only guess that it means the worm uses a heretofore unknown exploit. Thus, this exploit is 'zero days' old.

  5. Re:Question by MarkByers · · Score: 5, Informative

    Hmm the Wikipedia page doesn't really explain it very well: http://en.wikipedia.org/wiki/Zero_day so let me try.

    It means that the exploit was discovered by crackers before any patch has been made available to the public. In other words there is nothing you can do except not open any .doc files unless you want to run the risk of being cracked.

    But of course, everyone knows that Word is full of holes because no-one has really attempted to use it as an attack vector yet since there are many easier ways.

    --
    I'll probably be modded down for this...
  6. security? by pe1chl · · Score: 4, Informative

    As a temporary mitigation method, Symantec is recommending that Microsoft Word document e-mail attachments be blocked at the network perimeter.

    How about:
    - make sure your users don't work as administrator but under an unprivileged user account
    - setup the system so that this unprivileged user account cannot write in %windir% and %ProgramFiles%
    - build the network in such a way that programs cannot directly "connect home" but can connect to the Internet only via well-defined proxy servers
    - setup mail so that incoming office documents opened from mail do not open in Office but in the free Office viewers instead

  7. Re:Question by jschottm · · Score: 4, Informative

    Would someone with more knowledge than me explain the term "zero day"?

    N (where N >=1) day exploits refer to the number of days after a vulnerability and/or patch is made available that it takes for exploits to occur. If Microsoft releases a patch on the 12th and an exploit is written on the 15th, that would be 4 day exploit. Some people would consider it to be a 3 day exploit, not counting the day of the announcement.

    Zero day refers to an exploit that uses a previously unknown vulnerability in software, or in some special cases, finds a way to turn a previously known flaw from something that wasn't considered bad enough to patch to a dangerous situation. Zero day exploits are dangerous in that there are no patches for them, although in some cases it can be prevented/mitigated by firewalls or Intrusion Prevention Systems. On the other hand, zero day exploits are often held closely by the people who discover them in order to gain the maximum advantage from it. For example, the exploit used on debian.org a few years ago was not disclosed in order to use it to penetrate several huge names in the open source community. Once a zero day exploit is made public knowledge, it will be focused on and patched.

    There is also an archaic use of the term from the old days of pirate BBSes - back when delivery of cracked software was slow, difference BBSes would have better priority on getting delivery of that software. The most important ones would get the software the day it was released by the cracking group and would be described as having 0 day warez. Broadband/P2P/etc. has made the use of this term out of date, although it's entirely possible that some people still use it in this context.

  8. Re:Patch available by slashdotmsiriv · · Score: 2, Informative

    Not to mention that OO crashes all the time, and consumes the shit out of your RAM. However, kudos to the development team for providing a linux alternative for office s/w tools and for continuously improving their software. It won't be long until OSS office tools surpass the quality of M$ Office. btw, wasn't google going to adopt the OO project or sthng? what happened to that idea?

  9. Re:Patch available by mspohr · · Score: 2, Informative
    I've been using OO.org for the past year in a highly collaborative environment where I constantly share docs, spreadsheets, powerpoint with a large number of people using different versions of MS Office.

    Compatibility is just not a problem. In fact, I have better luck using files from all versions of MS Office than those using MS Office. (MS Office compability across versions is poor.)

    --
    I don't read your sig. Why are you reading mine?
  10. Re:When do we see a patch? by Low2000 · · Score: 2, Informative

    It is at least so far detected by Symantec security software as of today.

    They detected it as Trojan.Mdropper.H

    Details are here...

    http://securityresponse.symantec.com/avcenter/venc /data/trojan.mdropper.h.html

  11. WordPad by Nom+du+Keyboard · · Score: 5, Informative

    Open your .doc documents in WordPad. The nice thing about it, aside from it being free and included in all flavors of Windows, is that it's too stupid to do any of the fancy stuff. It has long been a favorite to avoid macro viruses for the same reason.

    --
    "It's the height of ridiculousness to say for those 9 lines you get hundreds of millions."
  12. Re:There is a REALLY simple solution here... by jonfelder · · Score: 2, Informative

    I use this:
    http://www.pc-tools.net/unix/renattach/

    I just put it in the system wide procmailrc file and it runs for everyone.

    It will rename files based on a file extension list that you designate. In addition it changes the MIME type headers. This forces the user to save and rename the file before launching it.

    The author indicates it's no longer maintained, but it works quite well nonetheless.

  13. feature that can be disabled by jnf · · Score: 2, Informative

    I'm not at liberty to mention what the bug is specifically, but all these people suggesting absurd fixes (i.e. links and not attachments [what will this accomplish? If a user will click an attachment do you think they won't click a link??] or switching to OO [sorry its gimpy at best]), all of these people will find themselves feeling silly when they find out the source of the bug and realize that they can just disable that functionality.