Slashdot Mirror
MS Word Zero-Day Exploit Found
subbers writes "A zero-day flaw in Microsoft Word program is being used in an active exploit by sophisticated hackers in China and Taiwan, according to warnings from anti-virus researchers. The exploit arrives as an ordinary Microsoft Word document attachment to an e-mail and drops a backdoor with rootkit features when the document is opened and the previously unknown vulnerability is triggered. From the article: 'The e-mail was written to look like an internal e-mail, including signature. It was addressed by name to the intended victim and not detected by the anti-virus software.'"
You know how unreliable OSS is after all...
This type of spam isn't too bad given traditional spam methods, as smarter users won't open attachments from people they don't know. The dumb ones generally dont know a word doc from an EXE so hopefully they are also avoiding most attachments. However there have been a few articles on the future of spam and local data mining. Consider what would happen if the next virus your co-worker got looked through their emails, found the last word document they sent out, and then copied that but embedded this exploit. They might even say, its been revised please have another look. The chances you wouldn't open this are extremely low, and especially when you are opening a normally okay attachment. It is coming from someone you know, from their computer, through their isp, and even is styled the same way as normal. The question is how will we attempt to combat such things? It doesn't just have to do with holes in microsoft office, or any other format too. When local data mining is combined with exploits in any other common formats (give the image exploits of other os's even) you now have a delivery method that can almost promise execution.
Is there already a race on for releasing a patch? Can the anti virus companies detect it?
I guess it will be a mess if they dont start detecting it soon.Of course MS will be flamed again.
Lord of the Binges.
A recent slashdot story asked the question, "Is the internet that fragile?" When I see stories like this, it reminds me and should remind everyone of the other fragile technology(ies), Microsoft and their baggage.
Consider that many on-line applications for jobs require cover letters and resumes as WORD attachments. Now, consider the temporary suggested workaround:
This is disruptive and lose-lose, either organizations heed the advice, and now for as long as it takes to fix Microsoft's problem applicants will have their documents blocked, or some of these hackers profuse their new hack and compromise organization's infrastructure.
Microsoft has made our bed, and now we all must sleep in it (ick). It's unacceptable that such an exploit could so easily take control and wreak damage. Why can a simple e-mail get in and twiddle with what should be administration-priveleged system resources? I know the recommendation is everyone accessing their XP as non-administration users, but how do you enforce that, especially when for so long so many of the out-of-the-box configurations make administration rights the default login?
I must say I admire Microsoft's savvy more each day in their EULA -- crafted to absolve Microsoft of any responsibility for bad things happening to users because of Microsoft's software. It must be reassuring to offer a product and not have to assume responsibility. What a unique privelege
Of course, a good outcome from this would be to reconsider the global transport of exchanging documentation (e.g., resumes and cover letters, etc.) to something a little less Micrsoft, a little more open, and a little less prone to exploits. That can't happen soon enough.
How many EXTREMLY critical flaws is it already Word documents have?
How is it possible these things still keep coming up.
It's not even funny anymore...
Sony announces it will be sending an apology note to users who were infected by their rootkit DRM. The apology will be in .doc format.
Microsoft: Open source 'not reliable or dependable'
What if Digg added local news and a Slashdot inspired comment karma system? ---
http://houndwire.com
Finnish anti-virus vendor F-Secure said a successful exploit allows the attacker to create, read, write, delete and search for files and directories; access and modify the Registry; manipulate services; start and kill processes; take screenshots; enumerate open windows; create its own application window; and lock, restart or shut down Windows.
Yeah, but can they do any real damage? : p
This guy's the limit!
Would someone with more knowledge than me explain the term "zero day"?
I would like to point out that as a pen tester, Microsoft product really *DO* make my job easier.
Is this an exploit that somehow grants malicious code access privledges even beyond the user's access level, or does this simply allow execution of arbitrary code at the access level of the user who is running Word?
If it is the former, then it's a very serious flaw. If it's the latter, then it's a serious flaw, but one that will only really adversely affect people stupid enough to run as Administrator all the time, despite Microsoft's own warning against such idiotic practices.
If it is the latter, then I have further justification to use against the users who have complained about using their Administrator privledges.
STOP MISUSING APOSTROPHES, YOU MORONS!!!
FTA: Symantec's DeepSight team said the exploit successfully executes shellcode when it is processed by Microsoft Word 2003. The malicious file caused Microsoft Word 2000 to crash, but shellcode execution did not occur.
Wonderful! So it only affects the latest-and-greatest versions of Office. Considering that MS hasn't added anything since Office 95 (I still run '97, myself), I expect only business users on SA should ever get hit by this exploit.
Then again, I suppose this means that Microsoft has added something, at least since Office 2000... Namely, more security flaws. Woot! Way to go Billy G! "Focus more on security" indeed.
Patch available: http://www.openoffice.org/
I'll probably be modded down for this...
Guess it is a good thing that I haven't seen enough added value to justify a move from Word 2000 to 2003 in our organization.
Does this still work with hardware supported Data Execution Protection enabled I wonder? Just curious. Seems like the kind of thing it's supposed to trigger against. I know that with it enabled, I can't profile a visual studio project I'm working on, as the profiling app hooks into the memory of the app I'm working on. Not sure if this is a similar thing though. But still, seems like something that should be a clear separation between executable and data segments of memory.
...of things to come. This is the Microsoft Windows Vista teaser trailer :p
The exploit only works properly in Office 2003 (and crashes Office 2000). Given that emailed DOC files are pretty much required for millions of people to do their jobs, the most effective short-term workaround is use something else to read DOC files.
For all we know, the Zombie Overlords live in Scranton, NJ or Brazil.
They're just using the incredibly insecure servers one can find in China and nearby countries to base the attacks from.
Now, that doesn't mean they aren't Chinese - in fact, that's quite possible - just that where an attack comes from is frequently not where the people who set it off are based in.
-- Tigger warning: This post may contain tiggers! --
As a temporary mitigation method, Symantec is recommending that Microsoft Word document e-mail attachments be blocked at the network perimeter.
How about:
- make sure your users don't work as administrator but under an unprivileged user account
- setup the system so that this unprivileged user account cannot write in %windir% and %ProgramFiles%
- build the network in such a way that programs cannot directly "connect home" but can connect to the Internet only via well-defined proxy servers
- setup mail so that incoming office documents opened from mail do not open in Office but in the free Office viewers instead
It helps not to open infected files :)
When some other OS with some other standard office suite becomes the de facto standard for business AND for home users, we'll see the same sort of security breaches for that particular combination or software. It hasn't been done yet on because there are twenty (or more) times as many Windows machines, and Windows has a larger percentage of careless users.
When Joe Six Pack switches to Linux/Unix/Mac/whatever and MS is the underdog, suddenly they'll be the secure ones.
Incidentally, it's not trolling to point out that I haven't seen a virus since early 2000, and that was because I hated updating W2K on dialup and put it off.
120 characters for a sig? That's bloody useless.
I have a PDA running WinCE, and I can only sync it with MS Active Sync if I am logged on as administrator. I really detest this. It would be so much better if each member of the family could sync their own PDA when logged in as themselves. However, Active Sync does not appear to support this. This machine has to be connected to the internet to update my WinCE apps. I suspect this makes Active Sync "goods not of merchandisable quality" in the terms of the UK "sale of Goods Act", and I am willing to participate in a class action against MS.
I only use the Windows computer for syncing my PDA. For everything else, I use FreeBSD.
Sent from my ASR33 using ASCII
How do you watch flash animations, then?
Do daemons dream of electric sleep()?
Refer to a url pointing at a share within the company instead.
Have you never heard of phishing?
What he can't kill, he has sex on. Trent.
WRONG! Modern viruses, for YEARS now, have set their 'sent from' address as a random address they found in either the internet cache, or ADDRESS BOOK of the infected machine. Often many people in a random address book already know each other. That means the virus has a very good chance to be sent 'from' someone you know (in the address line), although that person didn't send it.
Don't trust an attachment just because it appears to come from someone you trust. If you aren't expecting that exact attachment, or there isn't very very clear working in the email that would make it relevant to something you know about rather than some generic topic, don't open it. Take two seconds and email the person back and ask what it is.
Trusting an attachment just because it appears to come from someone you know is STUPID.
It a medium of communications, and text is the only content which can be assumed to be usable by any recipient. Sending anything other than plain old text, unless there is prior agreement between both sender and receiver, is a hinderance to communications.
http://www.efn.no/html-bad.html
"National Security is the chief cause of national insecurity." - Celine's First Law
Now this is what I call an "Open Document Format"!
It is Open, as in open for hackers to drop root kits on your system.
As in grab you ankles open.
It is also Accessable, as other people now have access to your system.
Why does a document need to have the ability to contain code and execute code on your system?
I'd be happy with just formatting features and losing all "fancy garbage" that allows these holes to exist.
Maybe they should consider renaming MS Word to MS Access?
...when I tell them, that my Mac OSX laptop is the CHEAPEST form of absolute insurance against the MS EULA protected gross safety problems of MS's XP Pro & MS Office.
They do critical MSWord docs back and for with clients and the FDA in Wash. D.C. all day long, and I really don't think they accept how risky this is today, particularly if a document comes in forwarded from a reliable source that has had the malicious RootKit somehow patched onto an other wise legitimate document that they need to file with the FDA.
Of course that makes me wonder how the FDA handles a malicious MS Word document. They are no different than anyone else in receiving zero day exploits.
Each time a zero day or other serious problem hits, I remind them, but they are literally afraid of having to learn something new, & so stick with the MS offerings.
Since all these factors can be spoofed, insist that anyone who is sending you an attachment first send you a plain text e-mail advising you that he/she is about to send the attachment. This message should include your name in the body in the text, a brief description of what is being sent, and maybe even a worded statement of the date and time to confirm the time stamp. You could even establish a code word or phrase with regular correspondents and ask that they include that in both subject line and text body. Conversely, if you do receive an unexpected attachment, but it appears to be from a known correspondent, e-mail them and ask if they sent you a message with attachment with subject line XXX at such and such a date and time.
Seem like a lot of trouble to go through? Compare the momentary annoyance to the time and cost of ridding your machine of a nasty virus. I've known people who are well aware of the ticks and trades of virus sending assholes who get infected simply because they get careless or lazy and don't take steps such as the above.
"Every great cause begins as a movement, becomes a business, and eventually degenerates into a racket." -- Eric Hoffer
Open your .doc documents in WordPad. The nice thing about it, aside from it being free and included in all flavors of Windows, is that it's too stupid to do any of the fancy stuff. It has long been a favorite to avoid macro viruses for the same reason.
"It's the height of ridiculousness to say for those 9 lines you get hundreds of millions."
If users have to fear opening a word processing document, something is terribly wrong with the word processor. Okay, I'll give you a break that you can't stop all buffer overflows and the such, but when the software is on the level of Microsoft Word (in terms of exploits, bugs) there needs to be some serious rethinking done inside the developers' minds.
I use this:
http://www.pc-tools.net/unix/renattach/
I just put it in the system wide procmailrc file and it runs for everyone.
It will rename files based on a file extension list that you designate. In addition it changes the MIME type headers. This forces the user to save and rename the file before launching it.
The author indicates it's no longer maintained, but it works quite well nonetheless.
I'm not at liberty to mention what the bug is specifically, but all these people suggesting absurd fixes (i.e. links and not attachments [what will this accomplish? If a user will click an attachment do you think they won't click a link??] or switching to OO [sorry its gimpy at best]), all of these people will find themselves feeling silly when they find out the source of the bug and realize that they can just disable that functionality.