Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft Issues Zero-Day Attack Alert For Word

Posted by kdawson on from the incoming dept.

0xbl00d writes "Eweek.com is reporting a new Microsoft Word zero-day attack underway. Microsoft issued a security advisory to acknowledge the unpatched flaw, which affects Microsoft Word 2000, Microsoft Word 2002, Microsoft Office Word 2003, Microsoft Word Viewer 2003, Microsoft Word 2004 for Mac and Microsoft Word 2004 v. X for Mac. The Microsoft Works 2004, 2005 and 2006 suites are also affected because they include Microsoft Word. Simply opening a word document will launch the exploit. There are no pre-patch workarounds or anti-virus signatures available. Microsoft suggests that users 'not open or save Word files,' even from trusted sources."

13 of 483 comments (clear)

  1. zero day by Anonymous Coward · · Score: 2, Interesting

    What the heck does zero-day mean?

  2. Problems with reportage? by symbolset · · Score: 2, Interesting
    EWeek is pretty good about reportage and editing. If their article says (and it does):
    There are no pre-patch workarounds available. Microsoft suggests that users "not open or save Word files," even from trusted sources.
    Then I believe they got that answer when they asked. Perhaps their phone reps are more forthright than their website. Imagine that.

    Not opening Word files seems like a good idea. Microsoft IP's in them, and that's icky.

    --
    Help stamp out iliturcy.
  3. Spam/Virus firewalls by Twillerror · · Score: 2, Interesting

    I'm not to worried about this because most users are aware of attachment exploits like this.

    I'm sure the major spam firewalls will also have signatures in a relatively short period of time. If my email spam/virus firewall will stop this I'm fine.

    For the home user it is a bit more of an issue. At the same time most people use Yahoo, MSN, Google or some other account that has active scanner that I'm sure will be able to block these in the short run...if not by analyzing the file by analyzing the subject line. Heck, chances are it'll look like spam to my firewall won't let it thru to begin with.

    I do wish MS would put out the technical details of this exploit. It sounds like some sort of a buffer overflow. Something tells me it is a graphic insert of some sort, but who knows.

  4. Re:Lets see... by dwater · · Score: 2, Interesting

    Any reference for that? I'd love to be able to quote such to ... well, anyone, really.

    --
    Max.
  5. Fair is fair... by zappepcs · · Score: 2, Interesting

    At least there was a warning rather than 43 unannounced patches next Tuesday, I'll say that much for them. Its a shame that there is no patch yet though. Without saying how detrimental this will be for MS, I'm thinking that now I can't tell people that OOo is just like MS Office but free... now I have to tell them that its probably safer too. Ugggh, the people that want OOo and F/OSS software to be as good as MS Office and OS products really bug me, and this story is exactly why.

    Ya, sure, MS is the biggest target, so gets more hacker attention. Just the same, being king of the hill is not easy, and F/OSS software makers should do their best to simply keep doing things well, rather than doing them 'just like MS does' as its not working out so good for Redmond today.

    Do everything that 80+% of users want, do it very well, and let the Excel gurus and desktop publishing companies do the things for those other 12% or so. That's the biggest bang for buck right there. That 12% might be the biggest spenders, but they also don't care about the cost, or don't want to retrain or convert etc. ad nauseum.

    --
    Support NYCountryLawyer RIAA vs People
  6. Re:Microsoft Recommends.. by Moron_Programmer · · Score: 2, Interesting

    I'd rather kick in the nuts the guy who takes advantage of these 'exploits'. They cease to be exploits when there are none willing to exploit them.

  7. Re:SLASH! KNOCK OFF THE FUD SUBMISSIONS! by AlXtreme · · Score: 2, Interesting
    JESUS H. CHRIST jumping a barbed wire fence, Slash editors. Who's letting these submissions across the wire? While slash is not a world-class journal or trade rag, it ought tot
    Welcome, you must be new here!

    They actually did say that, but you could claim the slashdot post was misquoted: "Recommendation: Do not open or save Word files that you receive from un-trusted or that are received unexpected from trusted sources. This vulnerability could be exploited when a user opens a file."

    I know this is slashdot, but RTFA.
    --
    This sig is intentionally left blank
  8. Re:Now might be a good time to try ... by Rick17JJ · · Score: 2, Interesting

    They could also use OpenOffice instead, at least temporarily. There are also other free alternatives such as using Abiword to view Word documents that they receive from customers. Abiword a well known alternative for Linux computers, but I see they also have Windows and Mac versions too. I also see that Word 97 isn't on their list of affected software so perhaps businesses could also consider just use their old copies of Office 97 to view incoming documents for the next few weeks (or did they just neglect to mention any version of Word that old).

    At home, I use OpenOffice running under Ubuntu Linux, so I should still be able to view Word documents safely.

  9. Re:Microsoft Recommends.. by TheRaven64 · · Score: 4, Interesting

    trust me, repagination is a lot of work, and it's already bad enough in long documents

    I don't use a word processor, I use LaTeX, which seems to have much better layout rules than any version of Word I have seen. The document I am working on is around 200 pages. Compiling it (including invoking gnuplot to draw a load of graphs, pulling in a few code files and syntax highlighting them, constructing an index and bibliography, and making sure all cross-references are correct) takes 7 seconds of wall time on my current laptop, and most of that is time spent waiting for I/O.

    Oh, and much of the typesetting code used by LaTeX is written as interpreted macros that are run by the TeX runtime system. If it were all hard-coded, even in Java, it would be even faster.

    Earlier this year, I saw a demo of a typesetting system written in Smalltalk (and running in the Squeak VM) that represented every character as an object, with simple rules (e.g. stay next to next character, jump to next line if you are over the margin, jump to the end of line if there is only whitespace between you and the end of line). It ran very fast; he dragged an image across a multi-page document, and the text re-flowed around it, and the entire thing was written in a couple of pages of Smalltalk.

    If pagination is slow in Word, then I can only imagine it's because the developers need replacing.

    --
    I am TheRaven on Soylent News
  10. Use OO to "defang"? by Kadin2048 · · Score: 2, Interesting

    I initially thought about using OpenOffice; I think it's probably the best solution overall, since it's free and you can get it right now. But let's say you absolutely need to work in Word -- how can you make sure that a document is safe?

    If you opened a document in OO, and then saved it, would the resulting document be guaranteed to be clean? What if you saved it as an RTF and then opened that back up in Word? That would probably lose a lot of people's fancy formatting, but it would preserve most of the content and markup. I suppose the most paranoid thing to do would be to save all documents out to ASCII and then open them up in Word, but at that point you've negated any reason to use Word in the first place.

    If OO tries to open a file, and it has a maliciously-crafted (which to OO, I assume, would appear corrupt) binary object in it, will OO refuse to open the file / remove the corrupt object? Or will it just ignore it and continue on its way?

    --
    "Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
  11. Re:what about OO.org? by OglinTatas · · Score: 2, Interesting

    You sir, are spot on. Back when macro viruses were rampant, when word 6 would unexpectedly corrupt word documents and make them "unreadable," it was wordperfect to the rescue. The file conversion would strip any macro viruses, and would ignore formatting that it couldn't understand, compromised/corrupted files could be rescued, (and re-saved in word 6 format to begin the process again, because officially we are a microsoft only shop)

    --
    More music, fewer hits
  12. Re:Microsoft Recommends.. by mysticgoat · · Score: 2, Interesting

    ...how on earth can someone code so sloppily that a WORD PROCESSOR has a serious security exploit?!

    Shit happens.

    The more significant question is how on earth could an exploit like this manage to get by Quality Assurance for so many years?

    The answer is that the Coding For Profit paradigm necessarily imposes a limitation on quality assurance since QA is an expense that must be charged against profits.

    A viable workaround is to Code For Free under one of the open source licenses where you can nurture a community of bug-hunters and developers who provide good quality assurance for free. You generate your profits from other aspects of the software business, such as service. IBM and Redhat are doing pretty well with this approach. Until recently I would have mentioned Novell here too, but now there's some doubt about whether Novell will survive what might prove to have been a fatal error.

    Wake up little SUSE! The movie wasn't so hot.... but I digress.

    I expect that in the next few weeks Microsoft will offer as a workaround a free plug-in that will convert all documents to its new ECMA approved standard. MS will point to Novell as an alternate supplier (therefore avoiding immediate monopolistic legal hassles). MS will point out that MS Office 2007 will be immune to this exploit, so all businesses really need to do is to install the free plug-in and begin migrating their documents to the new format. Which will be supported by Novell's version of OpenOffice, btw, no sneaky deals here, huh?

  13. Re:Microsoft Recommends.. by kestasjk · · Score: 2, Interesting
    I doubt anyone is really this stupid, you must be a troll, but what the hell..

    Yes, you absolutely did. There are no exploits running around in the wild affecting Macs. You can't cite a single real-world example. Not a single one.
    "running around in the wild"? An exploit is a piece of code which can be used to exploit a vulnerability. One thing that the rm-my-mac-mini competition showed is that exploits have been written for undisclosed OS X vulnerabilities. If no exploits existed how could OS X's security have been breached, and the Mac Mini's files deleted? Q.E.D.; exploits do exist for OS X.

    Absolutely correct. None of them are being exploited at all.
    As I showed above exploits have been written for OS X. What you are saying is that the only time exploits have ever been used against OS X was in the rm-my-mac-mini competition. The hackers that look for security holes in Apple's software, and don't disclose the holes, never exploit the holes they find; they just do it in case rm-my-mac-mini competitions come up.

    And yet nobody's exploiting it, because OS X's security prevents access. Next.
    What about the Safari vulnerability that allows you to remotely execute code? What about the Webkit vulnerability, or the AirPort vulnerability, or the Windows share vulnerability? OS X seems to allow access more than prevent it.

    Which should tell you just how "urgent" it was to fix something that wasn't really a problem in the first place.
    So holes like anyone being able to get complete access to your machine simply by you connecting to someone wirelessly, or looking at a malicious webpage, or accessing a malicious share or folder, aren't urgent to you? If not then I should say that there's a difference between being secure, and simply not valuing your security.

    Lies, lies, and more lies. 100% false in every way imaginable.
    But I'm citing Apple's own list of patches. Do you believe Apple's security is so flawless that the only explanation for their list of critical security holes is that they're lying?

    Ah, the old "false sense of security" canard, despite the fact THERE IS NOT A SINGLE EXPLOIT RUNNING IN THE WILD THAT IS INTRUDING ON A SINGLE MAC. You can't cite a single one. Go for it.
    See above; rm-my-mac-mini couldn't have happened without an exploit. If you're wondering why I keep referring to rm-my-mac-mini it's because hackers or script kiddies with OS X exploits generally don't make a habit of letting everyone know what they've been up to. rm-my-mac-mini is a source which I can cite which conclusively shows that exploits have been written for OS X vulnerabilities. (PS Writing in caps doesn't make people ignore the fact that your (only) argument has already been addressed)

    The argument you seem to be stumbling towards is "OS X has practically no market share, so no piece of malicious software written for it can be mass distributed effectively, therefore OS X is secure."
    Luckily for you barely anyone owns a Mac. By the same logic I could say "MS-DOS 6.22 is a perfectly secure, robust OS; there's not a single exploit being used against it".


    By the way, have you noticed the recent MySpace worm that's being spread with Quicktime? Quicktime is just about the only piece of Apple software that a large number of people use to process data directly from the web, and sure enough hackers find a way to exploit it.
    --
    // MD_Update(&m,buf,j);