Slashdot Mirror

← Back to Stories (view on slashdot.org)

MS Word Zero-Day Exploit Found

Posted by ryuzaki0 on from the don't-do-any-work-today dept.

subbers writes "A zero-day flaw in Microsoft Word program is being used in an active exploit by sophisticated hackers in China and Taiwan, according to warnings from anti-virus researchers. The exploit arrives as an ordinary Microsoft Word document attachment to an e-mail and drops a backdoor with rootkit features when the document is opened and the previously unknown vulnerability is triggered. From the article: 'The e-mail was written to look like an internal e-mail, including signature. It was addressed by name to the intended victim and not detected by the anti-virus software.'"

13 of 396 comments (clear)

  1. At least it's not open source by Anonymous Coward · · Score: 5, Funny

    You know how unreliable OSS is after all...

  2. Not overly bad, combined with some others bad. by Novanix · · Score: 5, Insightful

    This type of spam isn't too bad given traditional spam methods, as smarter users won't open attachments from people they don't know. The dumb ones generally dont know a word doc from an EXE so hopefully they are also avoiding most attachments. However there have been a few articles on the future of spam and local data mining. Consider what would happen if the next virus your co-worker got looked through their emails, found the last word document they sent out, and then copied that but embedded this exploit. They might even say, its been revised please have another look. The chances you wouldn't open this are extremely low, and especially when you are opening a normally okay attachment. It is coming from someone you know, from their computer, through their isp, and even is styled the same way as normal. The question is how will we attempt to combat such things? It doesn't just have to do with holes in microsoft office, or any other format too. When local data mining is combined with exploits in any other common formats (give the image exploits of other os's even) you now have a delivery method that can almost promise execution.

    1. Re:Not overly bad, combined with some others bad. by Jimmy+King · · Score: 5, Informative

      You haven't done any computer support for non-technical people in a long time, have you? It's only been a couple years since I broke free from the shackles of technical support, so believe me when I say way too many people will open this without thinking twice.

  3. is Microsoft this fragile? by yagu · · Score: 5, Insightful

    A recent slashdot story asked the question, "Is the internet that fragile?" When I see stories like this, it reminds me and should remind everyone of the other fragile technology(ies), Microsoft and their baggage.

    Consider that many on-line applications for jobs require cover letters and resumes as WORD attachments. Now, consider the temporary suggested workaround:

    As a temporary mitigation method, Symantec is recommending that Microsoft Word document e-mail attachments be blocked at the network perimeter. "Furthermore, extreme caution should be exercised while processing Microsoft Word attachments received as an unexpected e-mail Attachment," company officials said.

    This is disruptive and lose-lose, either organizations heed the advice, and now for as long as it takes to fix Microsoft's problem applicants will have their documents blocked, or some of these hackers profuse their new hack and compromise organization's infrastructure.

    Microsoft has made our bed, and now we all must sleep in it (ick). It's unacceptable that such an exploit could so easily take control and wreak damage. Why can a simple e-mail get in and twiddle with what should be administration-priveleged system resources? I know the recommendation is everyone accessing their XP as non-administration users, but how do you enforce that, especially when for so long so many of the out-of-the-box configurations make administration rights the default login?

    I must say I admire Microsoft's savvy more each day in their EULA -- crafted to absolve Microsoft of any responsibility for bad things happening to users because of Microsoft's software. It must be reassuring to offer a product and not have to assume responsibility. What a unique privelege

    Of course, a good outcome from this would be to reconsider the global transport of exchanging documentation (e.g., resumes and cover letters, etc.) to something a little less Micrsoft, a little more open, and a little less prone to exploits. That can't happen soon enough.

  4. In related news by Siberwulf · · Score: 5, Funny

    Sony announces it will be sending an apology note to users who were infected by their rootkit DRM. The apology will be in .doc format.

  5. real damage? by gEvil+(beta) · · Score: 5, Funny

    Finnish anti-virus vendor F-Secure said a successful exploit allows the attacker to create, read, write, delete and search for files and directories; access and modify the Registry; manipulate services; start and kill processes; take screenshots; enumerate open windows; create its own application window; and lock, restart or shut down Windows.

    Yeah, but can they do any real damage? : p

    --
    This guy's the limit!
  6. Only a taste... by gerrysteele · · Score: 5, Funny

    ...of things to come. This is the Microsoft Windows Vista teaser trailer :p

  7. Clarification: Attack is from China, not of China by WillAffleckUW · · Score: 5, Insightful

    For all we know, the Zombie Overlords live in Scranton, NJ or Brazil.

    They're just using the incredibly insecure servers one can find in China and nearby countries to base the attacks from.

    Now, that doesn't mean they aren't Chinese - in fact, that's quite possible - just that where an attack comes from is frequently not where the people who set it off are based in.

    --
    -- Tigger warning: This post may contain tiggers! --
  8. Re:Question by Fat+Idiot · · Score: 5, Informative

    Zero Day means that the vulnerability was previously unknown. Hence there are no days between dicovery of the vuln and dicovery of the exploit in the wild.

  9. Re:Question by MarkByers · · Score: 5, Informative

    Hmm the Wikipedia page doesn't really explain it very well: http://en.wikipedia.org/wiki/Zero_day so let me try.

    It means that the exploit was discovered by crackers before any patch has been made available to the public. In other words there is nothing you can do except not open any .doc files unless you want to run the risk of being cracked.

    But of course, everyone knows that Word is full of holes because no-one has really attempted to use it as an attack vector yet since there are many easier ways.

    --
    I'll probably be modded down for this...
  10. Re:Geez. by LurkerXXX · · Score: 5, Insightful
    if you don't know the sender, DON'T OPEN THE FILE

    WRONG! Modern viruses, for YEARS now, have set their 'sent from' address as a random address they found in either the internet cache, or ADDRESS BOOK of the infected machine. Often many people in a random address book already know each other. That means the virus has a very good chance to be sent 'from' someone you know (in the address line), although that person didn't send it.

    Don't trust an attachment just because it appears to come from someone you trust. If you aren't expecting that exact attachment, or there isn't very very clear working in the email that would make it relevant to something you know about rather than some generic topic, don't open it. Take two seconds and email the person back and ask what it is.

    Trusting an attachment just because it appears to come from someone you know is STUPID.

  11. Name Change? by JoshuaJarman · · Score: 5, Funny

    Maybe they should consider renaming MS Word to MS Access?

  12. WordPad by Nom+du+Keyboard · · Score: 5, Informative

    Open your .doc documents in WordPad. The nice thing about it, aside from it being free and included in all flavors of Windows, is that it's too stupid to do any of the fancy stuff. It has long been a favorite to avoid macro viruses for the same reason.

    --
    "It's the height of ridiculousness to say for those 9 lines you get hundreds of millions."