Slashdot Mirror
Microsoft Issues Zero-Day Attack Alert For Word
0xbl00d writes "Eweek.com is reporting a new Microsoft Word zero-day attack underway. Microsoft issued a security advisory to acknowledge the unpatched flaw, which affects Microsoft Word 2000, Microsoft Word 2002, Microsoft Office Word 2003, Microsoft Word Viewer 2003, Microsoft Word 2004 for Mac and Microsoft Word 2004 v. X for Mac. The Microsoft Works 2004, 2005 and 2006 suites are also affected because they include Microsoft Word. Simply opening a word document will launch the exploit. There are no pre-patch workarounds or anti-virus signatures available. Microsoft suggests that users 'not open or save Word files,' even from trusted sources."
That the business world just stop for a few minutes(days, weeks) while they fix this.
If I can't even open my friends' documents then what am I - as a manager to do?
Oh, wait - I don't do anything anyway and my life revolves around Excel.
Nevermind.
The Kai's Semi-Updated Website Thingy
not open .doc ? are they fucking insane? 90% of the business is just that messing with .doc
guess we know who to thanks when productivity drops to zero in the coming days!
So let me get this straight... For the time being the only safe Word files are new files that other people don't need to open?
But hey, you saved a ton of money on retraining costs.
Maybe not
http://docs.google.com/
Could the problem be avoided by opening the any .doc files with OO.org? i'm assuming that the exploit will only work if the file is actually opened with word, so it would stand to reason that opening it with some other application would be safe. can anyone tell me why i'm wrong?
my pet machine
Good general advice, really. They should put that on the Office packaging, like on a packet of cigarettes.
ant
I think we found a reason.
In the meantime, download and use OpenOffice
"Word" is a generic term in word processing. WordStar existed before Microsoft Word.
So, Microsoft are basically telling us to stop using Word? Sounds like great advice to me -- cheers, Bill!
Tubal-Cain smokes the white owl.
First, an exploit in IE causes MS to tell us to type in links manually rather than click them.
Now MS advises everyone not to use their flagship bloatware? There simply aren't enough R's, O's, F's and L's in the fabric of space-time to express how funny this is.
Or they're just scraping the bottom of the barrel for ideas on how to get people to upgrade to Vista and Office 2007.
Seriously, please be a joke. This shit is going to be hell to try and explain to everyone at work, and then un-explain later, without totally fucking up all the investment in getting them to not infect their machines with all manner of crap. :(
What the heck does zero-day mean?
Making the Ribbon, and then congratulating themselves on how cool it looks, and then making advertisements with people with dinosaur heads.
2cv
Microsoft DOES NOT suggest that
as stated in the summary.What they do say is :
That is nothing more than standard precautions that one should take anyway. If you aren't expecting an attachment, don't open it. If you are expecting it, and it is from a trusted source, go ahead.
Nothing to see here, move along...
And as you tread the halls of sanity, You feel so glad to be, Unable to go beyond. I have a message, From another time..
Comment removed based on user account deletion
The actual quote from the Microsoft page is:
If you send an email to Fred saying "Can you send me xxxx", and Fred replies, saying "Here it is", you can probably safely open the attachment. You should just exercise caution when Fred sends you an email out of the blue saying "Hey, read this would you?".
Repton.
They say that only an experienced wizard can do the tengu shuffle.
And typical me not reading TF security advisory before posting. The actual wording from Microsoft is:
Do not open or save Word files that you receive from un-trusted sources or that you receive unexpectedly from trusted sources.
> 'not open or save Word files,'
a ult.mspx
Do they call it "The Evolution of Microsoft Office"?
> To help you understand more about the merits of Microsoft Office 2003, we are preparing the new series of FREE training courses for you.
TRAINING COURSE - RULE#1: Don't open or save Word files!
> It's time for an evolution! Act now to take the Microsoft Office 2003 Training Courses and get rid of your current backward office!
TRAINING COURSE - RULE#2: Since you cannot open/save your documents... get rid of your current backward Office!
More Office tips and tricks: http://www.microsoft.com/hk/office/officetips/def
Well, I've got to get back to work. When I stop rowing, the slave ship just goes in circles.
You forgot to mention the Vista sound. The put tons of effort into that.
Help stamp out iliturcy.
Thats right, College finals! Just what we need when all those papers are due. "Sorry Prof. I can't write that research paper for you, nor can you open it safely... Guess I should get an A."
And thus begins the torrent of Microsoft mocking posts. Get your mod-points out and set them to +5 Funny because the laughs are only just beginning. *sigh*
This is a new spin to upgrade to their new Office 2007 product line.
I'm seeing this as a HUGE opportunity to start the text document revolution. You can get really creative with characters and create some really romantic notes with text. Chicks would surely go nuts for a guy who could create character-based graphics with text!
I'm not a troll, but I play one on Slashdot.
Not opening Word files seems like a good idea. Microsoft IP's in them, and that's icky.
Help stamp out iliturcy.
Download it using the links below:
http://www.openoffice.org/
http://www.thinkfree.com/
This is my opinion. To make sure you don't steal it, it's covered by the DMCA.
I thought the definition of "zero-day" was an exploit issued on the same day as a patch or fix. eg. a new patch is sent out, but contains ANOTHER security hole. Someone issues a new exploit based on said hole on the same day is said to have issued a zero-day exploit. This sounds like someone picking up on the word "zero-day" and making it sound more dramatic than it really is.
Why dont you just RTFA? It clearly says "Recommendation: Do not open or save Word files that you receive from un-trusted or that are received unexpected from trusted sources." But instead of reading, people are just to busy to type "OMG OFFICE SUCKS(etc)" or "OPENOFFICE is the BEST" Sidenote: Currently using 2007 Standard Trial, and liking it.
Yet ANOTHER feature Word has that OpenOffice doesn't. :(
I'm not to worried about this because most users are aware of attachment exploits like this.
I'm sure the major spam firewalls will also have signatures in a relatively short period of time. If my email spam/virus firewall will stop this I'm fine.
For the home user it is a bit more of an issue. At the same time most people use Yahoo, MSN, Google or some other account that has active scanner that I'm sure will be able to block these in the short run...if not by analyzing the file by analyzing the subject line. Heck, chances are it'll look like spam to my firewall won't let it thru to begin with.
I do wish MS would put out the technical details of this exploit. It sounds like some sort of a buffer overflow. Something tells me it is a graphic insert of some sort, but who knows.
By now you've seen dozens of postings about using OpenOffice as an alternative until Redmond patches this (One might even suspect this is a marketing ploy to encourage everyone to upgrade to Office 2007, but... naaahhh)
Folks - if there's malicious content - why take *any* chances? Upload the document to Google's Writely.com and be really insulated from malicious code!
Any sufficiently advanced technology is indistinguishable from a rigged demo. -- James Klass
Sounds like it means Trusted to Be Risky.
.doc files on my Mac.
Well, I'll just get out my "Trusty" CanOpener application (don't laugh as it works) and use it to open my
Really freaking super BAD timing, man. Thanks one hell of a lot, MicroShaft.
And there is a POLICY here where you absolutely, positively, HAVE TO have MS Office and USE IT here at Woodbury University. I was using OO.o on Linux for the longest time and sending things out as PDF to profs, but one of my profs wanted to COMMENT ON MY DOCUMENTS so no using OpenOffice and getting by.
Unfortunately I don't think ANY of my profs are going to accept the "zero-day Word exploit, sorry, no paper for you" excuse.
Knowledge is power. Knowledge shared is power multiplied.
What is the chance that we will see a fix in a week. As next week is the company's scheduled December Patch Tuesday, but there is no word yet from Microsoft on the timing of its fix for Word.
Ho! But does it affect Word '97 which my company is currently stuck on? Wait a minute... Maybe my company gets the picture... I mean, if you fail to upgrade for long enough do people give up and quit exploring for exploits for it? Or does it just mean that the software is too antiquated have the same vulnerabilities as today's software? Let this be a lesson to you "Early Adopters". Oh nevermind, I want my Word 2k3 (or soon to be 2k7) with or without it's 0-day flaw.
disconnect the triprong MS Virus Enabler: http://www.techexcess.net/images/products/600/6ft- power-cord.jpg
Help stamp out iliturcy.
!!!ROFLMAO!!!
so one gets the heads up until Zer0 Day
Make OO the standard and fork MS.
I'd Tell you all my secrets but I lie about my past
How come MS's front page mentions nothing of the incident? Shouldn't their visitors/customers be alerted? ...
Mod points are a dangerous tool. Abuse them wisely.
Good thing I connect via WiFi.
Dear Professor,
My final project for the semester is attached as a Word document. If you have any problems reading it, please let me know. Me and everyone else in your address book.
Don't have to worry about grading it. By the time you read this, I will have used the root-kit to grade it myself.
Nice porn, by the way! You dog! We'll make this our little secret.
love,
toodles
Ah, license to ignore any unexpected memos for the next couple of days, excellent
Except that I have been saying that for years. MS Doc format is an untrustworthy format. It has been known to carry unexpected payloads in the past and there are alternatives which are known to be safer yielding similar if not identical results for most people. (And if someone thinks they actually NEED to have VBA in a word document, I'd have to suggest there's probably a better way to program your way out of the situation you find yourself in. I just haven't been able to think of a good reason to have programming code in a Word document and I haven't seen a good example either. Can anyone offer a reason good enough?
ODT works well... hell, for that matter RTF works well enough for most people.
At least there was a warning rather than 43 unannounced patches next Tuesday, I'll say that much for them. Its a shame that there is no patch yet though. Without saying how detrimental this will be for MS, I'm thinking that now I can't tell people that OOo is just like MS Office but free... now I have to tell them that its probably safer too. Ugggh, the people that want OOo and F/OSS software to be as good as MS Office and OS products really bug me, and this story is exactly why.
Ya, sure, MS is the biggest target, so gets more hacker attention. Just the same, being king of the hill is not easy, and F/OSS software makers should do their best to simply keep doing things well, rather than doing them 'just like MS does' as its not working out so good for Redmond today.
Do everything that 80+% of users want, do it very well, and let the Excel gurus and desktop publishing companies do the things for those other 12% or so. That's the biggest bang for buck right there. That 12% might be the biggest spenders, but they also don't care about the cost, or don't want to retrain or convert etc. ad nauseum.
Support NYCountryLawyer RIAA vs People
I take it then, that this vulnurability has been fixed in Word 2007?
Coincidence? I think not!
"It is possible to commit no errors and still lose. That is not a weakness. That is life." -Peak Performance
How is one supposed to exercise caution when opening a Word document? Do click on it slowly and deliberately, or do you click it carefully after giving the PC a pat on the head...
Excuse me, but please get off my Pennisetum Clandestinum, eh!
sticking with Word 97. It's apparently not affected by this.
>Microsoft suggests that users 'not open or save Word
>files,' even from trusted sources."
Most of us figured that out a long time ago. The REAL question is whether you will be able to tell the difference between file corrupted by this exploit and file corruption that just happens because of all the OTHER profound bugs.
Brett
Don't use Microsoft Office EVER.
Office for MacOS X has 2 versions: v.X (10.x) and 2004 (11.x)
There is no 'Microsoft Word 2004 v. X for Mac'
you mean feature parity ("we can do 5 billion kinds of tables!") as opposed to being as easy to use or having good performance.
Firefox Power http://firefoxpower.blogspot.com/
For the link to the "Sacred Ribbon." I'd heard a lot about it but never had seen a pic that was big enough to decipher. Looks about like every other freakin toolbar I ever saw, only 2-3 times as bloated. Imagine that. Oh well, to each their own...
If you want your life to be different, live it differently.
Did anyone else read that as "Microsoft Ossues Zero-Day Attack Alert For World"?
I'm running office 97 on whine.
I'm sorry, I'm to tired to be witty at the moment so this message will have to do.
...that so many people have a bad habit of composing even a simple text message in Word, then emailing it out as an attachment. We have a number of people who do this at work, despite being repeatedly reminded that they can simply write their message within their email program. It's aggravating to receive an email that simply reads "see attached", then to actually read the 3-sentence message one has to save the .doc file to their computer, fire up word, and open the file, potentially exposing themselves to whatever the newest exploit is.
That's why the Windows XP Security Guide is distributed a .doc...
"It ain't a war against drugs.it's a war against personal freedom" --Bill Hicks
I didn't get the memo either.
qz
Wait a minute I use Open Office, Never mind.
Just in time for finals!
This is a response of a complaint that I sent to orange.fr about an infected computer.
Bonjour,
Nous avons bien réceptionné votre mail relatif à la transmission de virus par un de nos abonnés.
Nous vous remercions d'avoir porté ces faits à notre connaissance et vous informons que le nécessaire a été effectué auprès de l'utilisateur fautif : son accès a été résilié ce jour.
Cordialement,
Service Abuse Orange Internet
If only US ISPs did this.
For the non-french-speaking, like me, the Babelfish translation isn't too bad.
--
BMO
>What on Earth are Alice and Bob up to that everyone wants to read what they are writing to each other?
http://www.xkcd.com/c177.html
I'm sure the major spam firewalls will also have signatures in a relatively short period of time. If my email spam/virus firewall will stop this I'm fine.
And what do you do about the exploits already mailed to you, before the firewall suppliers figure out signatures and put them in place?
And if they don't successfully design signatures to catch ALL exploits of the flaw, what do you do about later stuff that exploits the flaw differently, and arrives in the window before signatures for THAT exploit are developed.
And so on.
Reactive anti-malware firewalls and filters will always have vulnerability windows between exploit and update and will usually have multiple windows per vulnerability - because updates are triggered by exploits and signatures tend to be tuned to exploits rather than flaws.
Flaw-fixing has a window of vulnerability too, but only one (if it's done correctly).
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
Is this a buffer overflow? Is it insert of code? Or, is it just access? Ummm... since this is just the details of HOW... well, if its used then the code behind the exploit could make more than the infected machine vulnerable, and so, ALL WORD docs could be compromised shortly... it IS possible, until the patch comes out. But, then it won't be available to those pirates so it will spread anyway as the computers they've upgraded become infected... *grin*... tx microsoft. :P
I call computer-illiteracy job security
...not sure why files expected from trusted sources can't be infected too.
Max.
The quote in the summary was from TFA and was correct.
Your guidance is wrong. "Probably" means more likely than not. According to Microsoft's own statistics Fred's XP workstation is "probably" a rooted, keylogging spambot zombie. His files safe? Get real.
On the other hand, your machine is "probably" exploited already too, so why not just give up? Everyone else has. It's not like anybody wants to read your boring data anyway, right? Besides, what are we to do? If we can't use Office, we might as well give up and go home. We can just keep clicking away those popups until the machine slows down so much it won't function at all and then Ted from IT will fix it. You didn't really like google anyway -- that targeted search assistant is so much better at finding just the right thing. It's like it knows you.
Never mind.
Help stamp out iliturcy.
I'm so glad that I just switched to open office.
"Do not start Windows, even when using trusted computing"
I like Notepad better anyway.
Microsoft has just taken a while to get it. See reason four.
If Microsoft is doing this to boost their next Office, they are going to be surprised by the number of people who migrate to Open Office. Really, these kinds of screw ups are nails in their coffin.
DMCA, Hollings, Palladium. What might have sounded like paranoia is now common sense.
FTFA:
Many security experts said they believe corporate espionage is the main motive behind the attacks.Wow! If that doesn't make Corporate America take another look at an MS alternative office suite I don't know what should!?!?!?
Does anyone else find it cute that Word 2007 isn't listed as being vulnerable ? That would certainly explain why they're in no hurry to release a fix. The "fix" is to upgrade :P How convenient that Office 2007 was just released last week. You know it only takes one loaded document to scare someone's PHB into buying the "fix" impulsively. Some will surely upgrade preemptively just out of fear.
I'm not an anti-MS fanboy at all, but I do scratch my head when I see these things. Exploits every week, sloppy code all over.. why is it that a huge company like Microsoft, with its enormous installed user base, thus guaranteed income, has such tremendous issues with deadlines and quality control ? Why was Windows 95 almost Windows 96 ? Why is Vista still not out ? Are there not enough skilled developers in the world for them to hire ? Do they need better tools to assist the massive workflow ? What about the resources spent chasing down exploits and producing fixes, and the collective waste of bandwidth, labor and mindshare of "patch tuesday" all over the world... They have a company that could so easily take the lead and commit ample resources to new developments and experimental computing paradigms, instead they spend all their time playing catch-up. The longer they fidget, the bigger the opportunity for a young, dynamic contender to shape up, be it Linux, Mac, or even a newcomer. Eventually, they will meet an opponent that won't sell out; one that has the balls to stand up to them and bite off some of MS' market share, rather than trading their own defeat for some shiny MS stock. By then it will be too late to turn the sinking ship around.
-Billco, Fnarg.com
Show of hands:
How many here remember: Concept?
LedgerSMB: Open source Accounting/ERP
Word was hung and using all the CPU. All Microsoft software I've ever dealt with has been crap.
Luckily it seemed to just be a corrupt document, and the version is Office Mac: Vx from 2001, so it looks like I might be safe. And my wife isn't an administrator on her own computer so that makes me feel a little better.
Still, I really should get those backups running...
Awesome furniture, accessories and cabinetry in Santa Rosa, CA: http://humanity-home.com/
I noticed that wordpad is also not on the affected software list... It might be a way to view Word documents without Word (or downloading additional word processors). Anyone know if it is also affected?
What GP was mad about is not that user processes can have bugs, but that user processes could be in a position to threaten the stability of the operating system. He's wrong about the nature of the threat we're talking about here, but that's a separate point.
Thanks a lot, Microsoft.
-Steve Jobs
Older versions of Notepad were vulnerable.
I've lost count of the times I've gotten security updates to notepad.
> Do not open or save Word files that you receive from un-trusted
> sources or that you receive unexpectedly from trusted sources.
You are picking nits.
Yeah, I know, Slashdot quoted Eweek who misquoted Microsoft. I just don't care.
Do you think we are somehow immune from infection by a "trusted" source? No? Then stop complaining. We don't need more lawyers in the world. More signal, less noise.
BTW, how many times did the sacred Microsoft security page use the term "root-kit"? Exactly zero. I'm glad someone is reading between the lines.
Grumble, grumble.
I sense a great disturbance on the net - it's as if 280 million adware infected PC's were suddenly shut off!
r ket_estimate/
http://www.theregister.co.uk/2005/02/02/adware_ma
Bavarian Purity Law of Rice Krispie Squares: Rice Krispies, Marshmallows, Butter, Vanilla.
moi
They actually did say that, but you could claim the slashdot post was misquoted: "Recommendation: Do not open or save Word files that you receive from un-trusted or that are received unexpected from trusted sources. This vulnerability could be exploited when a user opens a file."
I know this is slashdot, but RTFA.
This sig is intentionally left blank
Look, if you want OpenOffice to have the capability to take down a machine merely by opening a compromised document, you can damn well code a patch.
Sheesh.
Soylent Green is peoplicious!
you will be vindicated. I have stuck with Office 97, because I have never thought that any of the "improvements" that M$ has made in newer versions of Office were worth the price of a new program. It is now too old to be affected by the latest virus. Lord, this is sweet.
In the land of the blind, the one-eyed man is king.
Fuck you.
They are more often called people whose generation means they didn't have ready access to computers throughout their childhood and adolescence to learn how to properly use a computer. Almost anyone over the age of 40 is guilty of this sort of technical ignorance. Correspondingly, those under the age of 18 tend to be afflicted with this ignorance as well. This generation is too young to remember anything about how computers work outside the world of Microsoft Windows (command line? DOS? get real!) and OS X. Between the ages of 20 and 40 are the most computer-savvy people you will find. Outside that range, anyone who is really good with a computer is that way for one or both of two reasons. The first is that they love computers and figuring out how they work. The second is that it became necessary for them to learn how computers work, usually to assist someone else who is outside the age-range of people who are the most tech-savvy.
Don't be so quick to judge women. My boyfriend learned to code FORTRAN from his mother almost twenty years ago. I'm the only member of my family who doesn't fear the command line and have been fixing family computers as long as we've had them. My mom's female cousin builds custom computers for fun. I was hanging out with a female kernel hacker last month along with a few other women from the DC LinuxChix chapter. On Sunday I took a Japanese test with a female friend who was wearing a Linux shirt. Friday night my roommate had a friend from her all-girl high school over and we were talking about graphics cards, modding our boxes, and programming. Her grandmother is a programmer; she started back during the punch-card days. A girl in my dorm builds robots. I explain some hardware components to my male boss, and I work at a computer store. One of my dad's best female friends has been programming for over 30 years. For that matter, the first programmer was a woman! Haven't you ever heard of Ada Lovelace, after whom the programming language Ada is named? How odd it is that an occupation pioneered by a woman is now seen as an exclusively male realm in spite of so much evidence to the contrary!
look! it's a bird, it's a plane, it's....a girl? yes, a girl browsing Slashdot on Linux
I'm siding with mackyrae above--she's 110% right.
And I might add that all the people I, a guy, have shown Linux to that actually switched to it were female? I've never converted another guy, but I have convinced 3 female computer geeks (they were into computers before I knew them, that is). Just because a guy shows them Linux and helps her with problems doesn't mean it was 100% his doing (I certainly can't take the credit for anything other than the demonstration). Most female Linux converts were computer geeks who simply didn't know Linux existed before.
But if you must, go live in your stupid fantasy world. Don't expect to get very far, though, if anywhere.
Microsoft-free since March 28, 2004
Sometimes I feel like I'm the only one who pays attention. Fuck, MS just started checking MS Office installations for 'validity' and shutting them down in the Windows Update procedure, and suddenly now, 3 weeks before Vista launch, MS is coming out and saying there's a MAJOR Word flaw.... Geez... can we all stretch our brains to figure out what this is about?!
Have you tried Latex? It does essentially the same thing - it separates out the formatting from the content, and lets you get on with writing the content quickly and easily. I recently switched to it from Word, and found that although it didn't have the nice graphical interface, once I'd got a style set up it actually sped my work up. If you're on a Mac, try MacTex from http://tug.org/mactex/ .
Comment removed based on user account deletion
Hey, our current products are insecure! So buy our latest one! It's better!
Good marketing plan there.
which is totally what she said
I've noticed now how nitpicky Windows XP has become about the authenticity of itself installed on a computer. For a while now, users of XP who want to update have to go through an annoying 'genuine validation' process. At certain points, Windows will simply not have access to software updates until MS is convinced that they'll go on a legal copy of their software.
So now, every few months they can come up with a new authentication scheme, and a week after they are introduced (and before they are cracked), Microsoft unleashes some sinister exploit that promises to do terrible things. When the user with a questionably authentic copy of Windows/Office/etc. goes to download the security patch for this exploit, he or she isn't allowed to do so due to the inability to validate the copy of the software as 'genuine'.
So the average Windows user who has a pirated copy is given the choice to either pay for the software or face some giant threat to their computers.
The Internet is generally stupid
Eh.. if you really wanted to I'm sure there would be a way of checking exactly what you send back to the Windows Update servers. These days it's dangerous just browsing the net or opening an email on a PC using Microsoft products, it's not just obvious stuff like using Windows Update that is the security risk.
which is totally what she said
Forgive my ignorance, but if a lot of the buffer overflows occur because of strcpy() when alternatives like strncpy() exist, why isn't that call deleted from the library? Sure, lots of users' programs would stop compiling *, but after some gnashing of teeth at the developers, and some hurried sed/awking, we'd be rid of this pestilant plague.
./configure --with-strcpy-is-insecure-and-i-know-it-and-am-too -lazy-to-fix-it option could be left for those that **couldn't** be changed.
A
Get your own free personal location tracker
No it isn't. How old are you? Have you ever worked in anything other than McDonalds? Company Confidentiality is essential for running a business. It's also a legal requirement in the case of HR records. Uploading particualar records to Google would breach numerous laws and could get you closed down.
Legal issues aside, it's well known that Google do analysis of their data. Do you really want a bot crawling over your companies secrets? What if your business is something that overlaps with one of Google's products?
Do Google provide an SLA? Do you even know what an SLA is? What if the site's down, do you just send everyone home for the day? What's their privacy policy? Data safeguards? Encryption? Backups? Version control?
The rest of your post is equally nonsensical. What does the warranty provided with Microsoft Word have to do with corporate mismanagement and it's possible effects on the western economy? Next you'll be telling me it was Microsoft that invaded Poland.
What kind of a design makes using a word processor dangerous. That by merely opening a text document you can totally compromise the system.
davecb5620@gmail.com
Your sarcasm detector needs adjustment.
"Pregnant women should not open Word documents. Opening of a Word document can seriously effect the health of your unborn child"
Here is a message we sent to customers. Links were added for posting on Slashdot:
Everyone,
Don't use Microsoft Word. Use Open Office instead. This advice remains effective until Microsoft releases a patch, and it is installed.
Microsoft just issued a security advisory warning people not to open Microsoft Word documents unless they have the latest version of Microsoft Word, which was just released, and costs $329 for the upgrade, or $679 for the most powerful full version.
On the security advisory web page the relevant parts are buried in sections that aren't visible unless you click on them:
"Do not open or save Word files that you receive from un-trusted sources or that you receive unexpectedly from trusted sources. This vulnerability could be exploited when a user opens a specially crafted Word file."
"We recommend that customers exercise extreme caution when they accept file transfers [files] from both known and unknown sources."
The vulnerability is being actively used to infect user's computers. That's the meaning of the phrase "zero-day" attack in the first sentence of the advisory. None of the anti-virus software vendors have made signatures for this attack yet, which means that anti-virus software CANNOT protect against an attack.
The reason Microsoft says to "exercise extreme caution" with files received "from both known and unknown sources", is that no one, not even computer consultants, can know whether a source can be trusted, since the anti-virus vendors have not yet made a method of detection for this vulnerability.
Michael
It's always worked in the past. Why change a winning formula?
Wordpad wasn't listed as affected.
Nope, the post I replied to wasn't using sarcasm. Trust me, I'm a Brit; we practically invented sarcasm. Read it again, in it's entirety. The people who modded it "interesting" agreed with me (on it not being a troll/joke at least). It's basically a typical "Microsoft are the cause of the worlds problems" rant.
"C'mon, did microsoft REALLY say, "'not open or save Word files,' even from trusted sources", davidsyes
"Recommendation: Do not open or save Word files that you receive from un-trusted or that are received unexpected from trusted sources. This vulnerability could be exploited when a user opens a file", microsoft.com
was SLASH! KNOCK OFF THE FUD SUBMISSIONS! (Score:5, Interesting)
davecb5620@gmail.com
was Re:Article Summary is Flamebait
davecb5620@gmail.com
What's the difference in meaning if any between:
..
"Microsoft suggests that users 'not open or save Word files,' even from trusted sources.", kdawson
and
"Do not open or save Word files that you receive from un-trusted or that are received unexpected from trusted sources", MS
was Re:Misleading summary
davecb5620@gmail.com
Comment removed based on user account deletion
Nope, the post I replied to wasn't using sarcasm. Trust me, I'm a Brit
Judging from his home page URL, so is Removable Bait...
On the other hand, I tend to agree with you - I don't think the OP was being sarcastic either.
It's official. Most of you are morons.
"Could the problem be avoided by opening the any .doc files with OO.org?"
The problem for a lot of msWord users is that the docs don't display or print correctly in OO especially if using lots of embedded frames etc. A simpler solution that would avoid even zero day exploits is to set the Word Viewer to default for Word docs and write a script that deletes normal.doc at boot. Use Firefox or Opera for browsing use thunderbird for email.
what about OO.org? (Score:5, Insightful)
davecb5620@gmail.com
They said this one affects Office/Word 2004 on Mac as well. I wonder what the exploit does on a Mac?
I drank what? -- Socrates
I initially thought about using OpenOffice; I think it's probably the best solution overall, since it's free and you can get it right now. But let's say you absolutely need to work in Word -- how can you make sure that a document is safe?
If you opened a document in OO, and then saved it, would the resulting document be guaranteed to be clean? What if you saved it as an RTF and then opened that back up in Word? That would probably lose a lot of people's fancy formatting, but it would preserve most of the content and markup. I suppose the most paranoid thing to do would be to save all documents out to ASCII and then open them up in Word, but at that point you've negated any reason to use Word in the first place.
If OO tries to open a file, and it has a maliciously-crafted (which to OO, I assume, would appear corrupt) binary object in it, will OO refuse to open the file / remove the corrupt object? Or will it just ignore it and continue on its way?
"Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
Maybe the method Word uses to render itself - when used on a certain font with the right combination of letters - infects your brain somehow. I guess it's working on the same principal as flash ads.
which is totally what she said
... anything resembling "Microsoft suggests that users 'not open or save Word files,' even from trusted sources."
It says to be extremely cautious.
FUD, from Slashdot? No way...
Loading...
The flaw is in Office 2004 for Mac - and on my new MacBook, they bundled a 'trial' version of Office 2004 with OSX.
+++ UGUCAUCGUAUUUCU
If you aren't expecting an attachment, don't open it.
My god, have ANY of you people ever actually worked in an office before? Having to manually confirm every e-mail attachment I receive in a day would take, well, the entire day.
I can't believe this comment keeps getting modded "Insightful".
Endless arguments over trivial contradictions in books written by ignorant savages to explain thunder in the dark.
So... a "zero-day" attack used to be one that appeared on the same day as the piece of software that was being attacked. Obviously, somehow the meaning of "zero-day" has changed. What does it mean now? (As far as I can tell, it's just meaningless padding, wehich means that a perfectly useful concept [that of an attack that appears on the same day as the software] now has to be explained periphrastically instead of using "zero-day". I hope I'm wrong, and that "zero-day" still does have a meaning, albeit one that's changed.) Anyone care to enlighten me?
Gee, "Microsoft Recommends" is the part of this story that is skewed in a deceptive manner.
y /929433.mspx under the heading of "Workarounds for Microsoft Word Remote Code Vulnerability:" Suddenly it means something completely different. It actually describes they way you should ALWAYS treat any attachment.
The story above lists the exact quote, "not open or save Word files" as part of the sentence, "Microsoft suggests that users 'not open or save Word files,' even from trusted sources."
The actual quote from Microsoft's site is, "Do not open or save Word files that you receive from un-trusted sources or that you receive unexpectedly from trusted sources.", which can be checked at http://www.microsoft.com/technet/security/advisor
Sure, we all know that MS makes stuff with lots of holes in it (like most everyone else) but that is no excuse for flagrantly deceptive reporting. I get enough of that on TV every night...
One more reason for me to stick with Word 5.1a, for writing term papers (like that's ever going to happen again). 'Course, this (and SMAC/X) will keep me from moving to Intel based Mac.
I drank what? -- Socrates
I work at a small software company and my boss doesn't seem to understand why I use OpenOffice for all my stuff. Maybe I'll send him this article.
I caught the Mountain Wumpus! He gave me his treasure chest ($100) to let him go free again.
But I *KNOW* that Microsoft Word is not transferring whatever I type to Microsoft or other third party (the network traffic would be a giveaway)... and I also *KNOW* that Google keeps the full text (and all revisions) of whatever I write in Google Docs.
Even if they "do no evil", they could be forced by law (or hacking) to release my documents.
Anyway, Google Docs is not a replacement for MS Word (yet, at least)... but rather to Wordpad. It lacks even basic word processor functionality. I still like it and use it, but more in a collaborative "closed wiki" fashion.
As a Slashdot discussion grows longer, the probability of an analogy involving cars approaches one.
Since Social Security in no way stops you from honoring or loving anyone, I'm a bit uncertain what's your point. After all, all Social Security does is ensures that even those of us who don't have children or rich friends won't starve when we become too old or sick to work.
Unless, of course, you are suggesting that it's good to have people starve on the streets so you can look good by giving them a few bread crumbs ? That particular line is what I've heard some people use to argue against Social Security...
Forget magic. Any technology distinguishable from divine power is insufficiently advanced.
Imagine if they took the "Vista Sound" team and put them on fixing this bug!
We'd end up with a Word that would play a funeral dirge when you opened a compromised e-mail.
"...Microsoft suggests that users 'not open or save Word files,' even from trusted sources."
Phew! I almost clicked the save button on my 25 page term paper before I read that! Thank God for Slashdot!
Microsoft is just taking the paperless office to the next level - the documentless office.
What he can't kill, he has sex on. Trent.
If Microsoft hasn't updated the Mac version of Office to be Universal Binary, Word is already running under Rosetta on Intel Macs. So the exploit should work on both plaforms. Possibly a little slower on the Intel machine due to the extra layer of emulation. :)
[UID-HeinzIntel]
So there's no patch, there's no practical workaround, there are no av signatures, and there is no official explanation of the exploit mechanism. Hmm. What's a guy to do?
From:
To: All_Employees
Subject: Corporate Security Alert
Significance: High
Microsoft has announced a security alert pertaining to MSWord - probably all versions. Microsoft recommends not opening any MSWord documents from anyone, until further notice. Please see attached for details.
Thank you,
IT Department
[attachment - MSSecurityAlertDetails.doc - 1,253KB]
well, i'm still using the outdated and unsuported office '97, so I guess I'm safe :)
Life is pain. Anyone who says differently is selling something.
Not on PhD thesis, as it is going to be printed anyway, but it can be very useful in education.
AccountKiller
A Word document is a stream of COM data objects. This is one reason why Word documents can't be made backwards compatible, and since it's in Microsoft's interest to force users to upgrade over time they have little incentive to change this design.
The problem is that unless they take steps to prevent it, and COM object that's supported on the system can be theoretically includes or referenced, including ActiveX controls. Just as in Internet Explorer and Outlook, they try and filter out "dangerous" components... but over the 7 years since they introduced IE they've been unable to solve the problem.
And they have too much face tied up in the design to easily back out even if they wanted to. And, as noted, they have little reason to want to.
One more reason for me to stick with Word 5.1a, for writing term papers (like that's ever going to happen again). 'Course, this (and SMAC/X) will keep me from moving to Intel based Mac.
It hasn't stopped me from moving to an Intel Mac. I just don't get rid of my old machines and use a KVM switch. Though the PowerMac 7500/100 isn't getting much use anymore, even with the B&W G3's original processor in it (the B&W was upgraded to a faster G4 than my stock G4 Cube has).
Now if only I could find a KVM solution for the older Macs that use DA-15 and ADB, though I'd probably have more luck finding DA-15->VGA and ADBUSB adapters.
The networking problem is child's play compared to that. Except... does anyone know if, after all the necessary bridges are connected, I could boot my Apple IIgs off of NAS?
Oh, say does that Star-Spangled Banner entwine / The myrtle of Venus with Bacchus's vine?
at how many professors would accept "zero-day Word Exploit." In fact I think I have a solution for you.
Does anybody know if Open Office is affected?
Can you safely open (infected) word documents in OO at this moment?
Privacy is terrorism.
Should != does. I ran the following file hello.cpp through the version of G++ included with the most recent MinGW bundle:
The size of the stripped executable hello.exe was 266,240 bytes. Compare hello.c, which ideally should be semantically equivalent:
GCC produced a 5,632 byte stripped executable.
we have processing power nowBut if that power runs out in 60 minutes because that was the largest battery that could fit in the device, what good is it? Even on desktop PCs, why are we writing the majority of applications in C++ and not, say, Python if Python is so much safer?
C or C++ are languages btw, you have several compilers that process C or C++ code, so are you saying a compiler you've used or think MS has used is flawed or the language in itself?The C++ standard is eight years old. If the two most popular implementations (Microsoft and GNU) have the same flaw by now, then it is more likely than not that the language itself has a flaw that shows in all conforming implementations.
for any people that share their apps with relatives and can't update. :p
A CEO, whose name I have changed to James, replied to version he received of my message above: "OK, so what do I do if I receive a WORD doc that I am expecting, from someone I know? If I need to see it, what should I do? Any idea how long until this latest craziness is over? James" My reply:
.DOC
file or .RTF file to the hard drive and open it in Open Office. You
have the latest version of Open Office, which is very compatible with
MS Office. If you like, we will make it so that all .DOC files open
automatically in O.O. Writer throughout [the organization].
.DOC
format as well as the ISO (International Standards Organization) Open
Document Format.
James,
There is no vulnerability in Open Office Writer. Just save the
I have no idea when this will be fixed. However, Microsoft must know more than is being said, since the company is using such strong language: "exercise extreme caution [with files] from both known and unknown sources."
When I try to translate that from corporate-speak to English, I wonder about the meaning of "exercise extreme caution". How would I do that? Would I hold my finger to the side of my nose very tightly and hope, hope, hope? Is there an animal in a closet called extreme caution, and I would take it out for exercise?
Since there is no way to know if a file is infected, and since merely opening an infected file causes your network to be infected, my translation of that statement from Microsoft is:
"Don't use Microsoft Word."
The following alternative translation is preferred by many computer professionals who have been discussing Microsoft's advice online: "Pay $329 for an upgrade to the latest version immediately." I won't bother with the corporate-speak version of my answer to that. The English version is "When pigs fly".
You now have an excellent opportunity to become accustomed to Open Office, which is better anyway, and saves files in Microsoft Word
It's a weird world out there, James. If you want to put your computer systems at risk, you will have to pay a lot more for software you already own, for a version that is very little different, with the assurance that there will be other severe vulnerabilities. If you want relative safety, using software that is less quirky, you will have to keep your money in your pocket.
Michael
Gmail has previewers for M$ Office documents.
I ALWAYS use them for reading Office documents in incoming mail (I forward them to Gmail. Takes an extra 2 seconds).
Perhaps it's a good time for Google to make it work better. Like show images as an option.
What kind of exploit is this? If I run Word in a limited Windows account, am I not protected? (what if I create an account just for reading Office docs that cannot be trusted in the same environment as other things?)
This is about every known version of word having a vulnerability for which there is no patch or update. This isn't the place to argue about Mac OS. This is about an unleashed weapon of mass destruction like we have been worrying about where the infrastructure of the country that includes millions of Windows systems running Office are now vulnerable to the most simple of attacks. Microsoft better have a lot of "Error and Ommisions" insurance. They are already being sued by at least one state for releasing insecure buggy code. This situation is intolerable. It throws most companies into a tizzy of paranoia about the use of Word documents. I think there is a good case for Open Office today. I simply don't use Microsoft Office anymore. This isn't about I told you so. It must be obvious that cracks are appearing in the Microsoft code monopoly. Microsoft fanboys may want to reconsider their position.
The Free Software Fondation is still under shock but they plan to shortly release their first ever news bulletin where they DO agree with Microsoft.
;-))
Do not open or save a Word document, yes!
Could Microsoft also recommend not to use the Windows(TM) Operating System ? the FSF is ready to offer them a Free (as un beer) DVD with a Free (as in speech) Operation System on it! (well at least somebody told me so
Like for example win32pad, a notepad replacement:
http://www.gena01.com/win32pad/
Just forget word and/or pretty formatting for a few days, and learn to spell!
Don't blame me, it's usually 2 in the morning when I post
Can I assume that the only reason Word 97 is not mentioned on the list of affected products is because Office 97 is no longer supported? Or would I be justified in saying "Whew, we dodged a big one ere by sticking with trusty old Office 97 in this company?"
Is there a non-MS article somewhere that may answer such questions?
It seems to me that this may be an effective way to finally get people to drop Office 97.
I think that the only reason Word 97 is not listed as affected is because it is no longer supported.
Then what are you complaining about ?
People who take my money in an effort to make things fair for the poor/retired/whatever. I have a job and am saving money for retirement. Why should I pay for those who fucked up?I used to get high on life, but I developed a tolerance. Now I need something stronger.
Thank you for demonstrating why Social Security needs to be enforced by force and the State, rather than left for voluntary charity.
Now please answer my question: if "Sucks to be you, the world's not fair" is your answer to those less fortunate or wise as you, then what grounds do you have to complain when you perceive it being unfair against you ? Maybe it sucks to pay for those who fucked up - or were fucked over - but hey, the world's not fair, right ?
Forget magic. Any technology distinguishable from divine power is insufficiently advanced.
Obviously you are a necro-pedo-zoophile. And before you say prove it, you prove you are not.
Yeah, they're for idiots like you to take as the sacred "truth"! Sheesh.
Microsoft-free since March 28, 2004