Slashdot Mirror
Microsoft Issues Zero-Day Attack Alert For Word
0xbl00d writes "Eweek.com is reporting a new Microsoft Word zero-day attack underway. Microsoft issued a security advisory to acknowledge the unpatched flaw, which affects Microsoft Word 2000, Microsoft Word 2002, Microsoft Office Word 2003, Microsoft Word Viewer 2003, Microsoft Word 2004 for Mac and Microsoft Word 2004 v. X for Mac. The Microsoft Works 2004, 2005 and 2006 suites are also affected because they include Microsoft Word. Simply opening a word document will launch the exploit. There are no pre-patch workarounds or anti-virus signatures available. Microsoft suggests that users 'not open or save Word files,' even from trusted sources."
http://docs.google.com/
In the meantime, download and use OpenOffice
2cv
Microsoft DOES NOT suggest that
as stated in the summary.What they do say is :
That is nothing more than standard precautions that one should take anyway. If you aren't expecting an attachment, don't open it. If you are expecting it, and it is from a trusted source, go ahead.
Nothing to see here, move along...
And as you tread the halls of sanity, You feel so glad to be, Unable to go beyond. I have a message, From another time..
The actual quote from the Microsoft page is:
If you send an email to Fred saying "Can you send me xxxx", and Fred replies, saying "Here it is", you can probably safely open the attachment. You should just exercise caution when Fred sends you an email out of the blue saying "Hey, read this would you?".
Repton.
They say that only an experienced wizard can do the tengu shuffle.
And typical me not reading TF security advisory before posting. The actual wording from Microsoft is:
Do not open or save Word files that you receive from un-trusted sources or that you receive unexpectedly from trusted sources.
It means an exploit there is no patch for! Its the zeroth day that they know about it :P
Obligatory blog plug: http://www.caseybanner.ca/
Zero day: At the time the details of the exploit are published (or the patch is released), there already is an active exploit being circulated. I guess if you don't know exactly when the exploit was released it's a technically "less than or equal to zero-day" exploit, but that doesn't sound as sexy.
It means that there is a working exploit out there in the wild, which is using a vulnerability that was previously unknown to the security community / the software maker. That is, there was zero days warning.
If J.K.R wrote Windows: Puteulanus fenestra mortalis!
A simple search would turn up the answer. It basically means there's no warning, and no time to prepare. The exploit's existence is made public the same day as the flaw's existence.
Why dont you just RTFA? It clearly says "Recommendation: Do not open or save Word files that you receive from un-trusted or that are received unexpected from trusted sources." But instead of reading, people are just to busy to type "OMG OFFICE SUCKS(etc)" or "OPENOFFICE is the BEST" Sidenote: Currently using 2007 Standard Trial, and liking it.
That's a lot more than two words. Perhaps you should have used the preview button?
I thought Zero-day refered to the first day that a vulnerability is publicly available. Start counting up from there. I've seen it used in every possible way though. Sometimes I gather people are refering to the day the patch was issued. Wikipedia doesn't really clear it up http://en.wikipedia.org/wiki/Zero_day
Tharkban (It is a signature after all)
Also observe that Office 2007 isn't affected. Obviously MS is doing something right in the next generation of their products.
Office for MacOS X has 2 versions: v.X (10.x) and 2004 (11.x)
There is no 'Microsoft Word 2004 v. X for Mac'
Yes, it would. For the Mac there is Neooffice (neooffice.org). While it is not as fast as using the Microsoft products, it is fast enough and does not seem to crash as often (I hate using word with document that have more than a couple of footnotes, tables, etc. Almost always Office will crash... been through all the checks on fonts, etc. Office is a crappy product. What I would like to see is an update of FrameMaker for the Mac, come on Adobe, you know it is a good product if only you were to maintain it properly and give it a current GUI... or release it to the open software community).
sure. and the EWeek article says
> Microsoft suggests that users "not open or save Word files," even from trusted sources.
I'm sure you see how these are, in fact, different statements.
there is no need to sign your posts. this isn't usenet. your username is right there above your post. stop it.
how on earth can someone code so sloppily that a WORD PROCESSOR has a serious security exploit?!
The usual reason - a local buffer created from the stack set to a fixed size. ie.
char cbuf[MAX_BUFFER];
I would guess that the Microsoft Word document file will be arranged using a chunk data format:
file header followed by object headers with type, version, length, followed by binary data for that object
In this way, unknown chunks can just be skipped over.
It would be no surprise that each programmer coding a particular object (formula, table) would assume that only
they would be theonly one writing read/write routines for their particular object, and choose to use a local stack
buffer to store the raw binary data, before converting it to the internal data structure.
When reading the document, they would just read the header as normal (type,version,length), then read the specified
amount of object data without checking the validity of the length.
And it only takes one programmer to make this mistake in order to create a security vulnerability that compromises
the entire application. Get the right type of data in the Word document, and you could theoretically load and execute
some executable code stored the file.
Vintage computer adverts: http://www.vintageadbrowser.com/computers-and-software-ads
What GP was mad about is not that user processes can have bugs, but that user processes could be in a position to threaten the stability of the operating system. He's wrong about the nature of the threat we're talking about here, but that's a separate point.
If you're on the Mac too, then TeXShop is a pretty decent GUI for LaTeX documents. It's universal, open-source (GPL), and ties in with MacTeX and Aqua.
Here is a message we sent to customers. Links were added for posting on Slashdot:
Everyone,
Don't use Microsoft Word. Use Open Office instead. This advice remains effective until Microsoft releases a patch, and it is installed.
Microsoft just issued a security advisory warning people not to open Microsoft Word documents unless they have the latest version of Microsoft Word, which was just released, and costs $329 for the upgrade, or $679 for the most powerful full version.
On the security advisory web page the relevant parts are buried in sections that aren't visible unless you click on them:
"Do not open or save Word files that you receive from un-trusted sources or that you receive unexpectedly from trusted sources. This vulnerability could be exploited when a user opens a specially crafted Word file."
"We recommend that customers exercise extreme caution when they accept file transfers [files] from both known and unknown sources."
The vulnerability is being actively used to infect user's computers. That's the meaning of the phrase "zero-day" attack in the first sentence of the advisory. None of the anti-virus software vendors have made signatures for this attack yet, which means that anti-virus software CANNOT protect against an attack.
The reason Microsoft says to "exercise extreme caution" with files received "from both known and unknown sources", is that no one, not even computer consultants, can know whether a source can be trusted, since the anti-virus vendors have not yet made a method of detection for this vulnerability.
Michael
Rather than VI and LaTeX, you may find LyX more comfortable. It's more word-processor-like, but w/ an interesting and innovative concept, it's a ``What You See Is What You Mean'' _Document_ Processor.
http://www.lyx.org/
Then, once it's done you can export to LaTeX and hack at things to your heart's content.
William
Sphinx of black quartz, judge my vow.
I don't use a word processor, I use LaTeX, which seems to have much better layout rules than any version of Word I have seen. The document I am working on is around 200 pages. Compiling it (including invoking gnuplot to draw a load of graphs, pulling in a few code files and syntax highlighting them, constructing an index and bibliography, and making sure all cross-references are correct) takes 7 seconds of wall time on my current laptop, and most of that is time spent waiting for I/O.
Since the original topic of this discussion was security vulnerabilities, let me note this: I hope you realize that in order to run gnuplot, makeindex, bibtex and who knows what else directly from LaTeX, which is what you seem to be doing based on your description (unless you use some sort of makefile based solution), you must most certainly have \write18 enabled on your TeX installation, which is a major security hole. It gives TeX a shell access, and can execute any code embedded in a tex file or hidden in a package or a cls file.
Don't get me wrong, I love TeX, use TeX for all my document processing needs, and wouldn't touch Word with a 15.5 ft pole, and have \write18 enabled on all my TeX installations, because it just make things so much easier. I just wanted to point out that as far as security goes, maybe we shouldn't be so smug when comparing to Word. Quality of output, sure, easiness and speed of document creation, definitely, in these areas we win without breaking a sweat, but we do have our own security problems.
By the way, the smalltalk based system you are talking about sure sounds interesting.
AccountKiller