Slashdot Mirror
MS Word Zero-Day Exploit Found
subbers writes "A zero-day flaw in Microsoft Word program is being used in an active exploit by sophisticated hackers in China and Taiwan, according to warnings from anti-virus researchers. The exploit arrives as an ordinary Microsoft Word document attachment to an e-mail and drops a backdoor with rootkit features when the document is opened and the previously unknown vulnerability is triggered. From the article: 'The e-mail was written to look like an internal e-mail, including signature. It was addressed by name to the intended victim and not detected by the anti-virus software.'"
Does this still work with hardware supported Data Execution Protection enabled I wonder? Just curious. Seems like the kind of thing it's supposed to trigger against. I know that with it enabled, I can't profile a visual studio project I'm working on, as the profiling app hooks into the memory of the app I'm working on. Not sure if this is a similar thing though. But still, seems like something that should be a clear separation between executable and data segments of memory.
What virus infected document? The one that couldn't be emailed to me?
You mean the one that has to be sitting on a server for me to get. That document was blocked a long time ago when someone else clicked on it and IT security stopped access to the IP at the firewall to prevent further spreading from the source.
And now, since I cannot email it to someone else, the virus has to share itself on my drive and spread that link around. Only it can't because the workstation doesn't allow shares. There is a corporate share I place docs on.
So not the virus has to find the corporate share, find a directory I have access to and embed itself there. Then email others in the company. Only most others in the company don't have access to the share I have access to. So most can't open the document.
Now you've slowed it down to only spreading to the team with rights to the share using a medium which can be managed - temporarily block the share - scan for the document and remove it - turn the share back on. Other team members risk sharing with the few people they interact with from other teams, but the virus has to find which people those are from the permissions on the share versus mailing list - a sparse matrix.
You are checking your backups, aren't you?
I do understand your frustration. I really do.
I don't think so. The system at work has been running like described above for 5 years and there are no real problems. And we are not sitting shaking in our chairs waiting for the next trojan or virus.
many applications still rely on being able to write to their %ProgramFiles% folder
Mostly just hobbyist-in-a-garage stuff and telebanking applications. More serious developers have read Microsoft guidelines over the past years, especially when XP SP2 came out.
The very few exceptions can be managed using a global group and an ACL entry.
Oh, but your only going to let them run the apps that *you* say they can.
This is the basis for any managed IT environment.
Got any remote workers?
Remote workers can only work via the VPN. Because a group policy applied firewall prevents them from connecting directly to the Internet.
Via the Internet they can connect home over VPN and then back out for websurfing via the proxy. This works well.
they have to close the viewer, save the file, open in word, edit, save, email.
Maybe you need to install the viewers and have a look. They actually have a menu entry to "open this document for editing" which automatically transfers control to Office.
I actually dislike the idea of opening an attachment from a basically read-only entity like an incoming mail into a read/write application by default. Users will start editing the document and forget that it cannot be saved back to the original location.
Opening in a viewers shows the user that it is read-only document that they need to save elsewhere to edit it.