MS Word Zero-Day Exploit Found

subbers writes "A zero-day flaw in Microsoft Word program is being used in an active exploit by sophisticated hackers in China and Taiwan, according to warnings from anti-virus researchers. The exploit arrives as an ordinary Microsoft Word document attachment to an e-mail and drops a backdoor with rootkit features when the document is opened and the previously unknown vulnerability is triggered. From the article: 'The e-mail was written to look like an internal e-mail, including signature. It was addressed by name to the intended victim and not detected by the anti-virus software.'"

Not overly bad, combined with some others bad.

[Novanix]

This type of spam isn't too bad given traditional spam methods, as smarter users won't open attachments from people they don't know. The dumb ones generally dont know a word doc from an EXE so hopefully they are also avoiding most attachments. However there have been a few articles on the future of spam and local data mining. Consider what would happen if the next virus your co-worker got looked through their emails, found the last word document they sent out, and then copied that but embedded this exploit. They might even say, its been revised please have another look. The chances you wouldn't open this are extremely low, and especially when you are opening a normally okay attachment. It is coming from someone you know, from their computer, through their isp, and even is styled the same way as normal. The question is how will we attempt to combat such things? It doesn't just have to do with holes in microsoft office, or any other format too. When local data mining is combined with exploits in any other common formats (give the image exploits of other os's even) you now have a delivery method that can almost promise execution.

Re:Not overly bad, combined with some others bad.

Are You Serious?!?!

So your saying in the age of the modern broadband; in the age of rich deliverable content; you are saying we should send text only? That's great. It's got nothing to do with fundamental inherent security issues in Microsoft's software made in poor architecture judgements, as well intended as they were.

It's the fault of a fundamental concept in email delivery, which non microsoft users use without fear.

hmmm.... don't think so. not at all.

Re:Not overly bad, combined with some others bad.

[955301]

Yes, I am serious.

Your suggestion that an attachment represents "rich deliverable content" is laughable.

Yes, I am saying email should be text only. It is already, whether you acknowledge it or not. You see, your "attachment" was bit shifted into text characters so it could be packaged in an email without getting munged. SMTP was intended for text and truncates bits based on that assumption. It's a bastardized, encoded cyst. A real document has a lifespan, an author, a source, and various other metadata that are not inherent to email. Copy an attachment out and paste into another email - unless the doc embeds the source, it has now been re-sourced forever.

An email should point to the document, at its source, not contain the document. If the end user wants a copy they should make it from the single, established source.

There is no reduction in the richness of the end effect. Single-clicking a link to the document on the source server takes no more time and is no less rich than double-clicking the document object in outlook.

You're trying to suggest that it's a step back. Losing your system to a virus is a step back. Trading an embedded doc for a url to the document is not.

Re:Not overly bad, combined with some others bad.

[blazerw11]

So, instead of attaching files to e-mails we should:

• All run webservers and have e-mail programs that know how to publish to them and all of the cool new security issues that'll bring with it.
• Or, we should all rent access on a webserver somewhere and either know how to publish documents on it, or have our e-mail program do that.
• Or, we could all have publically accessible Windows Shares where the URL://fredsbox/myshare will somehow magically work everywhere.

New Microsoft Outlook 2007, The Safe Way
No more of that nasty bold text (or any other formatting for that matter) ruining your otherwise clean message.
Enjoy getting humorous images mailed to you? Not any more!!!
Viruses, no way, not in a text only package! (Unless the sender figures out something we didn't check, like, a buffer overflow if you make a line of text 4097 characters with no breaks.)
E-cards are so 2006, NOW ASCII-cards!!!

When do we see a patch?

[xot]

Is there already a race on for releasing a patch? Can the anti virus companies detect it?
I guess it will be a mess if they dont start detecting it soon.Of course MS will be flamed again.

is Microsoft this fragile?

[yagu]

A recent slashdot story asked the question, "Is the internet that fragile?" When I see stories like this, it reminds me and should remind everyone of the other fragile technology(ies), Microsoft and their baggage.

Consider that many on-line applications for jobs require cover letters and resumes as WORD attachments. Now, consider the temporary suggested workaround:

As a temporary mitigation method, Symantec is recommending that Microsoft Word document e-mail attachments be blocked at the network perimeter. "Furthermore, extreme caution should be exercised while processing Microsoft Word attachments received as an unexpected e-mail Attachment," company officials said.

This is disruptive and lose-lose, either organizations heed the advice, and now for as long as it takes to fix Microsoft's problem applicants will have their documents blocked, or some of these hackers profuse their new hack and compromise organization's infrastructure.

Microsoft has made our bed, and now we all must sleep in it (ick). It's unacceptable that such an exploit could so easily take control and wreak damage. Why can a simple e-mail get in and twiddle with what should be administration-priveleged system resources? I know the recommendation is everyone accessing their XP as non-administration users, but how do you enforce that, especially when for so long so many of the out-of-the-box configurations make administration rights the default login?

I must say I admire Microsoft's savvy more each day in their EULA -- crafted to absolve Microsoft of any responsibility for bad things happening to users because of Microsoft's software. It must be reassuring to offer a product and not have to assume responsibility. What a unique privelege

Of course, a good outcome from this would be to reconsider the global transport of exchanging documentation (e.g., resumes and cover letters, etc.) to something a little less Micrsoft, a little more open, and a little less prone to exploits. That can't happen soon enough.

Re:is Microsoft this fragile?

[Politburo]

I must say I admire Microsoft's savvy more each day in their EULA -- crafted to absolve Microsoft of any responsibility for bad things happening to users because of Microsoft's software. It must be reassuring to offer a product and not have to assume responsibility. What a unique privelege

You act like MS is the only company that does this. Nothing could be further from the truth.

Re:is Microsoft this fragile?

[d_jedi]

I must say I admire Microsoft's savvy more each day in their EULA -- crafted to absolve Microsoft of any responsibility for bad things happening to users because of Microsoft's software. It must be reassuring to offer a product and not have to assume responsibility. What a unique privelege
"Unique privelege (sic)"? Not quite.. just about every software company absolves itself of legal responsibility in this way.. why, even the GPL does it.

Re:is Microsoft this fragile?

[gmiley]

Consider that many on-line applications for jobs require cover letters and resumes as WORD attachments. Now, consider the temporary suggested workaround:

As a temporary mitigation method, Symantec is recommending that Microsoft Word document e-mail attachments be blocked at the network perimeter. "Furthermore, extreme caution should be exercised while processing Microsoft Word attachments received as an unexpected e-mail Attachment," company officials said.

This is disruptive and lose-lose, either organizations heed the advice, and now for as long as it takes to fix Microsoft's problem applicants will have their documents blocked, or some of these hackers profuse their new hack and compromise organization's infrastructure.

This suggested work-around should never have been... well, suggested. Unfortunately, until this has been fixed it leaves a network wide open to potential problems. One must weigh the losses and choose the lesser. Infected network potental compromise/loss of data/work/money, or block files for the time being, perhaps quarantine them until proper detection methods are ready and possible loss of a few hours for a few people.

That all depends on the organization as to what would be more acceptable.

Continuing on, I see this all the time, people immediately bash MS. Granted, it is their software, however, it could be (and occasionally is) software created by other companies. It just so happens that MS is a popular choice for the majority of the world.

I know the recommendation is everyone accessing their XP as non-administration users, but how do you enforce that

Any properly admin'ed network can easily do this. At home is a different story, but those that refuse to work with only the minimum required permissions take the risk of exposing themselves to a larger selection of potentially harmfull attacks.

I must say I admire Microsoft's savvy more each day in their EULA -- crafted to absolve Microsoft of any responsibility for bad things happening to users because of Microsoft's software. It must be reassuring to offer a product and not have to assume responsibility. What a unique privelege

I doubt you would happily take responsability if you let your neighbor borrow your lawnmower who then promptly used it to run over his own dog...

a better workaround

[frankie]

The exploit only works properly in Office 2003 (and crashes Office 2000). Given that emailed DOC files are pretty much required for millions of people to do their jobs, the most effective short-term workaround is use something else to read DOC files.

Clarification: Attack is from China, not of China

[WillAffleckUW]

For all we know, the Zombie Overlords live in Scranton, NJ or Brazil.

They're just using the incredibly insecure servers one can find in China and nearby countries to base the attacks from.

Now, that doesn't mean they aren't Chinese - in fact, that's quite possible - just that where an attack comes from is frequently not where the people who set it off are based in.

Good lord

[Darkman,+Walkin+Dude]

Refer to a url pointing at a share within the company instead.

Have you never heard of phishing?

Re:Not funny

[BFaucet]

What really gets me is how rarely the methods these vulnerabilities use are used for useful purposes.

In most cases rich text or even plain text documents are more than adequate. Do memos and resumes really need to have executing code in them?

Re:Geez.

[LurkerXXX]

if you don't know the sender, DON'T OPEN THE FILE

WRONG! Modern viruses, for YEARS now, have set their 'sent from' address as a random address they found in either the internet cache, or ADDRESS BOOK of the infected machine. Often many people in a random address book already know each other. That means the virus has a very good chance to be sent 'from' someone you know (in the address line), although that person didn't send it.

Don't trust an attachment just because it appears to come from someone you trust. If you aren't expecting that exact attachment, or there isn't very very clear working in the email that would make it relevant to something you know about rather than some generic topic, don't open it. Take two seconds and email the person back and ask what it is.

Trusting an attachment just because it appears to come from someone you know is STUPID.

Re:My PC Compatriots Won't Listen...

[necro2607]

Even worse, Word .Docs contain huge amounts of "history" in them.

I have, many times, opened project scope documents (obviously having been based off of older docs) and seen the private/confidential project details of past clients (to the extent of specific dollar amounts etc.)... All because Word, behind the scenes, tracks your changes as some kind of "convenience"...

I'm sure you can turn off that option, but just consider the technical knowledge of the average marketing/sales person in the office...

In a small business without some strict & exact security policies, it's obviously very easy for default settings like these to exist completely unnoticed for years (no one noticed until I was like WTF when I joined the company)...