Third Microsoft Word Code Execution Exploit Posted

gregleimbeck writes "Exploit code for a third, unpatched vulnerability in Microsoft Word has been posted on the Internet, adding to the software maker's struggles to keep up with gaping holes in its popular word processing program. The attack code, available at Milw0rm.com, contains sample Word documents that have been rigged to launch code execution exploits when the file is opened."

i feel like bugs for dinner..

anyone else?

Third Microsoft Word Code Execution Exploit Posted

Try saying that fast three times.

Wait, who still uses M$ 0ffice?

But seriously, why would anyone use anything M$ when there are non-stop bugs and security holes. Open Office / Google Writely anyone?

Re:Wait, who still uses M$ 0ffice?

[reaktor]

Heck yeah. OOo is nice, esp the new version. My family actually prefers it because it is not overly bloated and annoying like MS Office.

Re:Wait, who still uses M$ 0ffice?

[phrasebook]

I tried switching my dad to Open Office when we couldn't find the MS Office CD - he immediately complained that the small fonts he was using in his spreadsheets (less than 8 points) didn't render nicely in OO compared to Excel, so he went and bought a copy of Office 2003.

Little things like that count for a lot. OO might be more secure than MS Office, but it's terrible quality software in user-visible ways (i.e. it's ugly, slow and bloated). These things count to people. Little problems can't just be overlooked because it's free. My dad could pick it apart within minutes, and he doesn't normally care about software at all. He didn't care about paying for Office either, in fact he didn't think twice about it.

That's why. Nothing to do with TCO, Microsoft being evil, security, monopoly or anything else. OpenOffice just isn't very good in the ways that count to regular users.

Re:Wait, who still uses M$ 0ffice?

Are you for real? You remind of shill, are you here to make people like me look bad?

Re:Wait, who still uses M$ 0ffice?

If you knew enough to download it for him you should have known enough to turn on antialiasing for font sizes 8 and lower in the options menu.

Re:Wait, who still uses M$ 0ffice?

[Vengeance_au]

We use both Microsoft Office and OpenOffice in our company. OO is for all internal documents, and Microsoft Office is used for external client work - purely for interoperability with corporate / government clients. Open Office can save into Microsoft Office format, but there are invariably subtle differences in the final layout - and that is just plain unacceptable.

In the past 12 months a few clients have started using OO and we now share OO documents with them - but they are by far the minority. Hopefully the new "Open" format Microsoft is coming out with will break the barrier down, and allow pixel-perfect interoperability, but until then it is very difficult to operate in a corperate world without the "de-facto" Microsoft Office standard.

Re:Wait, who still uses M$ 0ffice?

[mcrbids]

If you knew enough to download it for him you should have known enough to turn on antialiasing for font sizes 8 and lower in the options menu.

And if you knew end-users enough to comment on them, you should have known enough that end-users won't know how to turn this on.

See, software shouldn't "get in the way" of what you're trying to do.

Re:Wait, who still uses M$ 0ffice?

Too bad you didn't have the mad skillz to install some better fonts. You can even use the MS ones.

Re:Wait, who still uses M$ 0ffice?

This is what is wrong with all Linux products. The software itself may be great, but they invest ZERO time in User Interface. Microsoft, for all it's faults, has done a great job in user interface design. The standard geek wants all options to be available all the time. This is generally bad design.

Re:Wait, who still uses M$ 0ffice?

[dc29A]

But seriously, why would anyone use anything M$ when there are non-stop bugs and security holes. Open Office / Google Writely anyone?

(Insert random application name here) with vulnerability running as root is the problem. MS Word hole only amplifies it because it's widely used. But the problem is that everyone and their dog is running Windows as administrator.

Re:Wait, who still uses M$ 0ffice?

[that+this+is+not+und]

To the contrary, OpenOffice requires significantly more hardware resources to run than usable versions of MS Office. I have run Office 2000 in a usable state on an old '486 laptop with 40M of ram.

Open Office is unusable on such a machine. It's probably 'coded better' with C++ and what-not, creating bloated structures and resource piggishness. There is probably an old version of StarOffice that would run fine on the '486, but the notion that OpenOffice is magically 'less of a load on the machine' is just wrong.

Re:Wait, who still uses M$ 0ffice?

[newt0311]

OOo is nice because it is free. It is however the most bloated piece of software that I have seen in terms of resource consumption including MS products. True non-bloatedness comes with emacs+LaTeX. Now there are things which do not take up any significant resources (until they are done reading my 33K startup .emacs file and increasing buffer and undo limits to ungodly levels that is.).

Re:Wait, who still uses M$ 0ffice?

[smoker2]

If you knew enough to download it for him you should have known enough to turn on antialiasing for font sizes 8 and lower in the options menu.
And if you knew end-users enough to comment on them, you should have known enough that end-users won't know how to turn this on.
See, software shouldn't "get in the way" of what you're trying to do.

Oh dear, looks like this Microsoft Word Code Execution Exploit just "got in the way". So the end user is still at risk, is out of pocket by $cost_of_office, and exposed to malware, all for the sake of actually learning how to use a tool properly.

Never mind, eh. I expect MS will have it fixed soon. Maybe you can play solitaire while you wait.

Re:Wait, who still uses M$ 0ffice?

[flyingfsck]

Hmm, how about PDF for external comms?

Re:Wait, who still uses M$ 0ffice?

[TheLink]

Uh what makes you think OpenOffice isn't as bug ridden if not more so? AFAIK it crashes often enough that I _know_ it is bug ridden AND _will_ also have exploitable bugs.

In fact, people say some of those demo docs crash OpenOffice too.

Re:Wait, who still uses M$ 0ffice?

[CaspianXI]

I agree that OpenOffice is still lacking in many features. Before you all throw dirt on me, let me just state that I am an OpenOffice user -- no, I'm not "betraying" the product -- I prefer not to get religeous about my choices of software. However, why have I have chosen to live without MS Office? Quite simply, I don't feel that it's worth the price tag. In order for me to pay $400, I expect it have significantly more features that I'll use. I've been very impressed with some utilities and macros provided by MS Office -- but I don't use these, which is why I decided not to pay the price. Finally, many of us have been using MS Office for several years. When we first sat down at a computer that used OpenOffice, we noticed a big difference and weren't used to the controls. But wait -- the first time you sat down at a computer using MS Office, did you know how to adjust the line spacing? You had to learn -- in OpenOffice, you need to learn to look in a different place to do the things you're used to. In conclusion, everything has a price. OpenOffice requires your time to learn, while Microsoft Office requires $400. If you don't want to pay the price and are willing to take the time, use OpenOffice. If you need the extra features of Microsoft Office, and don't mind the price, use Microsoft. Neither can claim to be the best for everyone. Use what fits you best. Just don't condemn someone else for using the other one.

Re:Wait, who still uses M$ 0ffice?

[Vengeance_au]

Yep - we use PDF for quotes etc where the document doesn't change - but for any document format that needs to retain editability its not an option. Even fewer people have PDF editing software than have Open Office.

Re:Wait, who still uses M$ 0ffice?

[SnowZero]

I don't have particularly large limits (I think), but it always bothered me that every copy of xemacs would have 10 MB of resident memory. It bothered me a lot more when my computer only had 32 MB of memory (Linux drove me to upgrade to 64 MB pretty quickly after switching from Windows). Now, of course, 10 MB is practically nothing compared to what the Mozilla applications or Open Office use...

Re:Wait, who still uses M$ 0ffice?

Sorry, OO.org can be exploited by this bug too, I'm switching back to Word!

Re:Wait, who still uses M$ 0ffice?

[SnowZero]

If you want more of your clients to change to OO, just run "strings" on their .doc files and email them the parts that came from other documents. That should be enough to get them to change their minds about it.

(For the uninitiated, As you edit a document in MS Word, it picks up bits of other documents you have open at the time or even previously opened. This is because it doesn't clear memory before using it, and the fast-save file format is really more a memory dump. This may have been fixed in the latest version of MS Word; I certainly hope so...)

Re:Wait, who still uses M$ 0ffice?

[newt0311]

my copy of emacs is taking up 12.2 mb right now but that is with several major modes loaded while viewing several verlarge files and undo limit set to 100,000 (5 times norm). Knowing elisp, that much usage is frankly not very surprising. In elisp (or any lisp implementation I think), most things have to be kept as lists which means that instead of a pointer, you have a pointer-->cons cell-->2 pointers-->actual stuff. Combine that with the object arrays, function name strings etc... and they can eat up RAM pretty quickly. Its still surprising becuse when I start my computer up but have not yet started any apps, I am only using about 50 megs. Then again, my bash processes are taking up ~3.2 megs each (but thats with several thousand history commands in RAM + custom completions for pretty much everything + loads of other crap). Still, wonder where all that memory goes.

Re:Wait, who still uses M$ 0ffice?

[westlake]

In order for me to pay $400, I expect it have significantly more features that I'll use.

Who the hell pays retail list for a legit copy of Office?

Re:Wait, who still uses M$ 0ffice?

[eosp]

Well, my original `ed` is about 10k.

Re:Wait, who still uses M$ 0ffice?

[Vengeance_au]

Ok thats just plain evil - just run it over a few old quotations I've done up previously....... some nice info in there that wasn't supposed to go out to clients!

Other issue I've seen a few times is people send docs with versioning still enabled - you get to see the original document and all the changes made before the finished product. Really interesting for quotes etc where the workings often contain their prices before markup....

Thanks for the heads up.

Re:Wait, who still uses M$ 0ffice?

[Beryllium+Sphere(tm)]

Yes, that's happening and it's insane, but the only gain from running as a less-privileged user would be to force an attacker to find or use a Windows privilege escalation vulnerability.

Re:Wait, who still uses M$ 0ffice?

[ComaVN]

I couldn't reproduce this with Word 2003 SP2, fully patched. Do you have a reproduction recipe?

Re:Wait, who still uses M$ 0ffice?

OO.ORG has the same problem....(Score:0)
by Anonymous Coward on Friday December 15, @01:00AM (#17247720) ....

ooffice2 69-crasgtest.doc /usr/lib/openoffice/program/soffice: line 236: 12793 Segmentation fault "$sd_prog/$sd_binary" "$@"

Enough said...

Try reading some other posts before you start telling everyone how Word is the only one vulnerable.

Re:Wait, who still uses M$ 0ffice?

[the_womble]

Its not that bad. I do not have MS Office for comparision, but it works nicely on a reasonably modern machine, and does not compare doo badly with other apps. Actual numbers:

  PID PR  NI  VIRT  RES  SHR S %CPU %MEM    TIME+  COMMAND
4895 15   0  139m  68m  22m S  1.7  7.0   2:59.20 firefox-bin
4883 15   0 78020  52m  21m S  0.0  5.3   0:28.51 konqueror
4927 15   0  106m  41m  21m S  0.0  4.3   0:22.28 mozilla-thunder
26874 15   0 80308  15m  11m R  0.0  1.5   0:06.82 realplay.bin
26994 15   0  4180 1676 1068 S  0.0  0.2   0:00.03 soffice
27005 15   0  190m  77m  47m S  0.0  8.0   0:29.43 soffice.bin
27026 15   0 32440  15m  12m S  0.0  1.6   0:01.88 konsole

Open Office has a 300 page document open, the browsers have a few tabs open in each, firefox also has the reallayer plugin loaded. Konsole is running top. Open Office is clearly not lightweight, but it is not terrible either.

Re:Wait, who still uses M$ 0ffice?

[ThePhilips]

It's probably 'coded better' with C++ and what-not, creating bloated structures and resource piggishness.

It is not. M$Office is much more optimized (by all means) product. StarOffice itself was based on previous work - so the code base was already split even before Sun acquisition. And then add development of Sun and OO.o which do not perfectly fit each other.

And Sun's following development effort which threw in Java to the backet didn't help either.

The result is buggy bloated mess. Don't argue with me. I use OOo every day. And I had read the source code.

It's free - but there is nothing more to it. ODF compatibility is still far below any usability level so all the PR talk about ODF magic is just what it is - PR talk. IOW, all OOo has now is its free beer's price: $0.00.

Re:Wait, who still uses M$ 0ffice?

[makomk]

Of course, having looked at the Emacs source code, I don't think it can even allocate more than 16MB or so of Lisp storage, which limits how bloated things can get. (The pointers into the Lisp storage area all seem to be 24-bit...)

Re:Wait, who still uses M$ 0ffice?

[towaz]

I don't think they is any shortage of them right now. Due to the xmas season this could not have come at a worse time, I'm already seeing viral emails being passed at a stupid rate.

Re:Wait, who still uses M$ 0ffice?

[VoiceOfDoom]

OK, I have tried this and it's quite scary. Am about to go off and write a risk assessment now......

I looked at MS's website, and there is a tool published there which purports to remove "hidden" or "unwanted" data from Word/Excel/PowerPoint files, however it only talks about tracking and collaboration data. Would this tool remove the data from the other documents, which was picked up by "strings" as well? Can't test it at the moment as it requires validation (ugh) to download and I can't do that from a corporate PC, but would be very interested to know, if anyone else already has.......

The link to the MS tool is here:

Re:Wait, who still uses M$ 0ffice?

[permawired]

My dad could pick it apart within minutes, and he doesn't normally care about software at all.

I've seen this problem several times. It's not that OO wouldn't do what he wants, it's that it doesn't do it by default. So since it looks a bit different and operates a little different it's going to be alien and people have a hard enough time with computers as it is. Unfortunatly the average user has difficulty learning how to use an application and once they have they don't want to migrate away from it unless they really need to. Why do you think so many software companies will give their software for free or close to free for schools? We geeks scoff at such things, but to a user it's a big deal.

Re:Wait, who still uses M$ 0ffice?

[mspohr]

Hello? OO keeps getting bashed for being bloated but I did some tests a few days ago (when the same trolls were out in another thread) and both OO and MS Office each use about the same amount of memory and this is a very reasonable size on any machine that is less than 5 years old.

In short, the office suite (wp, spreadsheet, presentation) takes about 60 meg for OO.org and 65 meg for MS Office (v10) with no documents open. This is a very reasonable amount of memory on any computer that isn't ready for the junk pile.

Re:Wait, who still uses M$ 0ffice?

[VoiceOfDoom]

Do you have any links about this? I have tested it and seen it for myself, but was just wondering where to get a more in-depth explanation of the exact process that happens.

Ta

Re:Wait, who still uses M$ 0ffice?

[Steve001]

permawired wrote:

My dad could pick it apart within minutes, and he doesn't normally care about software at all.

I've seen this problem several times. It's not that OO wouldn't do what he wants, it's that it doesn't do it by default. So since it looks a bit different and operates a little different it's going to be alien and people have a hard enough time with computers as it is. Unfortunatly the average user has difficulty learning how to use an application and once they have they don't want to migrate away from it unless they really need to. Why do you think so many software companies will give their software for free or close to free for schools? We geeks scoff at such things, but to a user it's a big deal.

This is not just an issue with OpenOffice. When I get a new copy of MS Word I spend the first 15 minutes with the program adjusting all of the settings so that it works the way I need it to. I have the same experience with most of the programs I use. For me it is just a normal part of using the program. All I ask is that the settings be easy to locate and change.

Re:Wait, who still uses M$ 0ffice?

[newt0311]

just out of curiosity, how did they manage to implement 24 bit pointers? since C only have 32 bit pointers (or 64bit on amd64 maybe).

Re:Wait, who still uses M$ 0ffice?

[permawired]

This is exactly what I'm talking about. The average user, sits down with a new program and learns it. They rarely change any of the settings and if they do it's only a couple. So when you sit down with M$ Office and have to configure it for 15 mins so it's similar to what your OO experience is like.... well you get the picture when your M$ Office user sits down in front of OO.

Re:Wait, who still uses M$ 0ffice?

[makomk]

They did it via a bitfield and typecasting (or equivalent use of masks and bitshifts) - the other 8 bits are used for something else. On modern 32-bit machines like x86, it's more like an offset into an allocated Lisp storage area than a true pointer, for obvious reasons, but originally it was just an ordinary pointer stored in 24 bits...

Re:Wait, who still uses M$ 0ffice?

[newt0311]

got it. Thanks a lot for your help.

Re:Wait, who still uses M$ 0ffice?

[Steve001]

For me, the time I spend adjusting the defaults of a program is not to make it work like another program, its to ensure the program does not fight me and is easier to use. An example of this in MS Word is making the paragraph marks and tab marks visible by default, something I find very important in controlling my formatting.

Thanks for the proof

I always suspected that Microsoft Word was Turing-complete.

Re:Thanks for the proof

[spellraiser]

No, that's Emacs. MS Word is a pushdown automaton at best.

Re:Thanks for the proof

[newt0311]

I would mod you up if I had mod points.

Re:Thanks for the proof

[RincewindTVD]

But they advertise themselves as a pushdown automaton with two stacks!!.

__
Thats funny to people that know that multiple stacks doesn't increase the power of a PDA.

Why do they have to make it hard

[skelator2821]

Format the Page the way it was meant to be SIMPLE! I mean its JUST WORDS put together why the need for Super Secret imbedded code? Word Perfect did this with precision .

Re:Why do they have to make it hard

[Acuram]

I can tell you've never used any of the VBA in Word. Executable code + DOM = $$

Re:Why do they have to make it hard

[Shados]

There's simply no money to be made in a simple office suite. Too many people who use basic office features will either use open office, or downright crack MS Office. Even companies.

The ones that will actualy shell out for Office are high end corporate customers. And beleive it or not, these features are very useful when you get to that point.

Re:Why do they have to make it hard

[Firehed]

I'm sure you're right about corporate, but considering how many Firefox users I know (that's to say, those that might consider alternatives to Microsoft), I'm the only one of them that's ever used OpenOffice. And I'm sure that none of them would have had the computer knowledge to crack Office (you know, just find any of a hundred thousand torrents of it).

Nope, most people I know that need nothing more than a basic office suite still use - and purchase - MS Office. Mind you, they'll typically end up with the Student and Teacher edition to save some cash, but they're still paying.

Re:Why do they have to make it hard

[Shados]

I see. Almost everyone i know using Office has a cracked copy or another. Usualy because Office does a lot less check, and usualy a simple copied CD from work is all you need. An incredible amount of computers come preloaded with illegal office (thats what my parents are using >.> ).

And well, the educational version of Office's price is so freagin low, it might as well be piracy (depending on your take as to the legitimacy of such pre-sale restriction on software usage, not to be confused with post-sale EULAs). There's no profit in these from Microsoft (the money they make from them is extra on top of the full versions being sold, so technicaly it IS profit. But if these were the only ones to sell, It wouldn't be worth it)

As for OpenOffice, when I mentionned it, I mostly had in mind all of the more computer savvy people who need basic office functionalities that will use it over MS Office (aka: a large amount of people reading this). It was simply mentionned so that someone wouldn't point it out, hehe.

Now take that, in opposition to the place I work at currently. 15000, legit, full version licenses of Office, 75% of which use more than just "simple word processor functionalities". Of course there's a HUGE discount because of the volume. But its still probably more profit total than 500000 average home users (including the pirates). Less customer support cost, too.

This appears to affect OpenOffice 2.0.4?

[Rupan]

I tried to open the PoC with OpenOffice 2.0.4 and it crashed. Can someone confirm?

ooffice2 12122006-djtest.doc /usr/lib/openoffice/program/soffice: line 236: 12793 Segmentation fault "$sd_prog/$sd_binary" "$@"

This may not be a code execution bug; I'll try to trace it with gdb to see what happens.

Re:This appears to affect OpenOffice 2.0.4?

[phunster]

It crashed OO 2.1 here

Re:This appears to affect OpenOffice 2.0.4?

[Rupan]

The gdb backtrace shows that the crash occurs in SwIoSystem::IsFileFilter (). EIP may not have been overwritten; the value points into what appears to be a valid function (i.e. not the stack or heap):

eip 0xb7286b4d 0xb7286b4d osl_getVolumeInformation+4487

Of course, this is probably because the exploit was designed to crash MS Word in the first place, not execute arbitrary code.

Re:This appears to affect OpenOffice 2.0.4?

[Rupan]

This is actually quite scary considering the size of Office documents. Store the executable code embedded in the metadata where user-supplied text would normally exist, using a nop slide of several kilobytes at the start. You have at least 26 kilobytes after all... imagine what could be done with 10k of executable code.

Re:This appears to affect OpenOffice 2.0.4?

[QuantumG]

Doesn't really match up with this stack trace though does it?

Fatal exception: Signal 6
Stack: /usr/lib/openoffice/program/libuno_sal.so.3[0xb754 651f] /usr/lib/openoffice/program/libuno_sal.so.3[0xb754 683f] /usr/lib/openoffice/program/libuno_sal.so.3[0xb754 68dd]
[0xffffe420] /lib/tls/i686/cmov/libc.so.6(abort+0xe9)[0xb6f7a2b 9] /usr/lib/openoffice/program/libvcl680li.so[0xb7f5d a0b] /usr/lib/openoffice/program/libvcl680li.so(_ZN11Ap plication5AbortERK6String+0x17)[0xb7dbbf53] /usr/lib/openoffice/program/soffice.bin(_ZN7deskto p7Desktop9ExceptionEt+0x44)[0x806b0a0] /usr/lib/openoffice/program/libvcl680li.so[0xb7dc1 9de] /usr/lib/openoffice/program/libvos3gcc3.so(_ZN3vos 28_cpp_OSignalHandler_FunctionEPvP13oslSignalInfo+ 0xf)[0xb77718f7] /usr/lib/openoffice/program/libvos3gcc3.so(_Z24_OS ignalHandler_FunctionPvP13oslSignalInfo+0x1a)[0xb7 771914] /usr/lib/openoffice/program/libuno_sal.so.3[0xb754 658b] /usr/lib/openoffice/program/libuno_sal.so.3[0xb754 68c9]
[0xffffe420] /lib/tls/i686/cmov/libc.so.6(abort+0xe9)[0xb6f7a2b 9] /usr/lib/openoffice/program/libvcl680li.so[0xb7f5d a0b] /usr/lib/openoffice/program/libvcl680li.so(_ZN11Ap plication5AbortERK6String+0x17)[0xb7dbbf53] /usr/lib/openoffice/program/soffice.bin(_ZN7deskto p7Desktop9ExceptionEt+0x1a5)[0x806b201]

Re:This appears to affect OpenOffice 2.0.4?

FWIW - Crashed both Mac Word 2004 and NeoOffice Aqua Beta with latest patches.

Re:This appears to affect OpenOffice 2.0.4?

[Rupan]

Interesting that you get a different result than I did. Here's a full trace of what I get:

http://rafb.net/paste/results/Jki6Ds85.html

Re:This appears to affect OpenOffice 2.0.4?

[Gothmolly]

...imagine what could be done with 10k of executable code

Run Visicalc?

Re:This appears to affect OpenOffice 2.0.4?

[dysfunct]

Can confirm at least freezing (no segfault yet) on OOo 2.0.3 on FreeBSD

Re:This appears to affect OpenOffice 2.0.4?

[QuantumG]

yup, I think that indicates it is a corrupt stack.. anyways, maybe some openoffice developers would like to know about this, if they don't already.

Re:This appears to affect OpenOffice 2.0.4?

[dysfunct]

Got SIGBUS on 2.0.3 FreeBSD. Trace here, EIP seems not overwritten.

Re:This appears to affect OpenOffice 2.0.4?

[TheLink]

Whoopee OpenOffice is getting more and more compatible with MS Office by the day... ;)

But as long as people write most of their complex stuff in C or C++ this will keep happening.

People should switch to programming languages and frameworks that just won't run "arbitrary code of an attacker's choice" when something exceptional occurs.

After all these decades aren't there any easy to learn, safe and fast programming languages?

Re:This appears to affect OpenOffice 2.0.4?

[droopycom]

Dont worry!
Dont you know that OpenOffice.org use Slashdot as a bug tracking system ??

Re:This appears to affect OpenOffice 2.0.4?

[ceoyoyo]

Pick any two. Well, no, pick either of the last two. You might get the first one as a bonus.

Re:This appears to affect OpenOffice 2.0.4?

C#

Re:This appears to affect OpenOffice 2.0.4?

[TigerNut]

You can't fault the programming language. The problem is in the application if it doesn't check buffer size against how much data is being read; it's in the OS if the problem is occurring when the application does a system call of some sort and is compromised in the process.

However... it looks like there are Oo.org users digging into that side of the problem. Probably they'll have an accurate synopsis of the failure mechanism and a patch on the way in a few days. Unfortunately we can't say the same (with the same confidence level) about MS Word.

Re:This appears to affect OpenOffice 2.0.4?

You just made my day. Thank you. 8^)

Re:This appears to affect OpenOffice 2.0.4?

[TheLink]

Uh if that happens then the language used is obviously unsafe.

Next you'll be telling me it's not the fault of a computer system (O/S + hardware) if user A's processes can change the memory contents of user B's processes, and it's actually a problem in the application... Who wants to do cooperative multitasking and memory management nowadays?

Why should potentially arbitrary code be executed because a program tries to put data somewhere it won't fit? Sure there should be an error and things could go wrong (e.g. program dies with exception and stack trace). But to do it the C/C++ way should be considered _unacceptable_ nowadays.

Re:This appears to affect OpenOffice 2.0.4?

[Oddscurity]

So does Oracle, except they only visit /. once every two years or so.

Re:This appears to affect OpenOffice 2.0.4?

[QuantumG]

I wouldn't wanna take enjoyment away from the people who find it fun to work on OpenOffice.

Re:This appears to affect OpenOffice 2.0.4?

[melikamp]

AbiWord opens it OK. The document seems to be empty.

Re:This appears to affect OpenOffice 2.0.4?

[Z34107]

People should switch to programming languages and frameworks that just won't run "arbitrary code of an attacker's choice" when something exceptional occurs.

No matter how many different levels of indirection you have, eventually your code turns into instructions and raw bytes that get crunched by the CPU.

All that changing to a slower and inferior (but easier to program!) language does is add another point of weakness: you can exploit program code or the framework code.

[goofymetaphor]Languages like Java, C# + .NET, and Visual Basic are like squirt guns. C++ is a machine gun.[/goofymetaphor] Which one do you think people afraid of loud noises are going to avoid?

Re:This appears to affect OpenOffice 2.0.4?

Look closer...

Re:This appears to affect OpenOffice 2.0.4?

[uwog]

Shameless plug: works fine in AbiWord :)

Re:This appears to affect OpenOffice 2.0.4?

[Fred_A]

KWord (1.5.2) opens it as well. Looks empty here too.

Re:This appears to affect OpenOffice 2.0.4?

[TheLink]

Sure, there'll always be a place for unsafe languages but most programmers shouldn't be using C++ (or C) - there's plenty of evidence that they obviously don't know how to write safe C++. Just look at Bugtraq every day.

As for the raw bytes, fine for my code to get turned into instructions, but not fine for an attacker's arbitrary _data_ to somehow being treated as raw instructions.

Why is it _still_ so common for function parameters/data to be pushed onto stacks that are also used for program counters (return addresses)? It's a stupid idea for modern computers - bad hygiene (poorly controlled mixing of code and data).

For better security such "local parameters and data" should be placed on a separate stack. When you call a sub with parameters, you push the parameters to the parameter stack and then push your return address to the normal stack and call as normal, the called sub can then pop the parameters from the parameter stack.

Even if a programmer screws up, you just get wrong data going to the wrong function BUT you are lot less likely to get arbitrary data being executed (return to "data" etc).

Sure sometimes you pass an address of a function to another function for performance/flexibility reasons (instead of an index/handle to a list of allowed functions) but really that shouldn't be the norm and so could be made a lot more difficult to exploit.

If Intel and AMD were interested in making things more secure they could create separate parameter/data stack registers and instructions for such a purpose.

Perhaps they should also allow quick tamper checks of function parameters. A function expecting parameters A and B of length X and Y could do a "startpop <some number>" and then "pop+sum" parameters off the parameter stack and then pop the checksum and halt if things don't match up.

After all their transistors aren't getting much faster, just more plentiful. They are running out of ways to use transistors meaningfully -
they've added MMX, SSE2, AMD64/EMT64 etc, so why not make the easy exploits harder?

Re:This appears to affect OpenOffice 2.0.4?

Just reposting the tags, as they are twice as powerful now:

haha, pwned (tagging beta)

--------------

Re:This appears to affect OpenOffice 2.0.4?

[Z34107]

Why is it _still_ so common for function parameters/data to be pushed onto stacks that are also used for program counters (return addresses)? It's a stupid idea for modern computers - bad hygiene (poorly controlled mixing of code and data).

First of all, the program counter (or instruction pointer) is the register where the address of the next instruction is stored. The return address is where your program was before it called your function.

Unless you write your program in one giant function, you will always have a return address and every langauge that supports recursion passes parameters via the stack.

Perhaps they should also allow quick tamper checks of function parameters. A function expecting parameters A and B of length X and Y could do a "startpop " and then "pop+sum" parameters off the parameter stack and then pop the checksum and halt if things don't match up.

Visual Studio 2005 has a scheme like this enabled by default. If stack corruption is detected, it kills your program. It's some compiler switch, I'm sure anyone interested can find it.

As for your CPU architecture comments, even the Pentium 4 today is almost fully backwards compatible with the 8086. Neither Intel nor AMD are going to drastically change their processors in the ways you suggest - this would break every computer and every program on the face of the earth.

As for the dangers of pointers - how do you feel about reference parameters? Again, a feature every sophisticated programming language has.

Re:This appears to affect OpenOffice 2.0.4?

[TheLink]

I guess I wasn't clear, but I was saying apps can have two stacks, one stack for return addresses and one for parameters. Even if you clobber the parameter stack, you won't clobber the return address stack without the CPU detecting it automatically.

Why I said one stack for program counters: In loose terms, for a subroutine call the cpu pushes the value of the program counter onto the stack, and then changes the program counter to the new address. The return command just pops the program counter off the stack, and execution continues from there.

Visual studio and GCC have stuff like canaries, BUT they slow things down. I'm saying that with hardware support they shouldn't slow things down, or at least not much for most circumstances.

And it wouldn't be a drastic change - only new code needs to use the new features. Old code can still behave the same way and be vulnerable. It's just like SSE, SSE2 and so on - e.g. you need to use the new pop and push commands to get the hardware assisted checksumming behaviour. No SSE2? Fallback to x87 style calculations.

Reference parameters should be much better - since you'd have fewer bytes to check than if you had to checksum 1 kilobyte of parameters to see if they had been tampered with.

A possible advantage of keeping the stacks separate is if the CPU can assume that the stack only contains return addresses it could make it easier for the CPU speculative stuff to predict where the code path is going to be and issue the fetches etc.

Maybe one could even do something like Perl's taint mode but in hardware. So the CPU might _never_ execute anything that's tainted - you'd have to explicitly untaint it. Not sure if that really could be done though ;).

Sure some attacks will still be possible, there'll always be attacks, but the current situation is a lot worse than it could be.

Affect on Macs?

[goombah99]

Someof these bugs can penetrate macs, but is there an actual exploit the pentration on macs? For just one or all three?

Are these fully macro virsues or are these actual binary executables being injected?

If we have binary executables being injected by some sort of buffer overrun, then I wonder what happen on intel macs. Does the exploit inject i86 code or ppc code. Does Rosetta run the PPC injection or does the i86 injection run on it's own.

Re:Affect on Macs?

[NadNad]

Rosetta only kicks in when a binary is started. Once a binary is running, it's stuck in whatever CPU mode it began...an intel-native executable cannot load a ppc shared-library module at all. So need to have a universal-binary exploit if one wants to hit both ppc and i386.

Re:Affect on Macs?

[UglyTool]

My question is, does this vulnerability exist in Pages?

I haven't used MS Office in many, many moons, and I wonder if I should be worried about an exploit in Pages.

FWIW, I'm running OS 10.4.8 on PPC, and fully updated.

Another day, another misfeature.

> Do not rely on file-name extension filtering. In most cases, Windows will call Word to open a document even if the document has an unknown file extension. For example, if document.qwer contains the correct file header information, Windows will open document.qwer with Word.

Who the fuck got this past whatever committee was reviewing design specs, and why haven't they been clubbed to death like a baby seal?

When the entire OS relies on the last three characters of a filename to handle filetypes, did nobody think this was a bad idea?

Re:Another day, another misfeature.

[quazee]

While you definitely should not rely on extension filtering, if a Word document has a completely random extension, it will not open with Word by default. However, since Word classic .doc format is based on ActiveDocument and OLE Compound Storage format, you can embed Word content into quite a lot of files.
So, opening any OLE Compound Document by an application supporting Active Document (including Word itself) could be dangerous.

However, double-clicking on document.qwer is actually harmless, unless you choose Microsoft Word when prompted to select an application.

Re:Another day, another misfeature.

[sqlrob]

Some things aren't so harmless. .txt .rtf

I tested both of those with word docs, and word opened. RTF is fine, since that was default to Word anyway. TXT is defaulted to notepad.

Re:Another day, another misfeature.

[MyLongNickName]

Who the fuck got this past whatever committee was reviewing design specs, and why haven't they been clubbed to death like a baby seal?

When the entire OS relies on the last three characters of a filename to handle filetypes, did nobody think this was a bad idea?

ROFL. Bad design? Sure. However, this concept dates so far back and is so entrenched that I don't see it going away any time in the next decade. So the "design specs" you are referring to are non-existent, or simply say "make it compatible with the way the world has been doing things forever".

Re:Another day, another misfeature.

[quazee]

Couldn't reproduce this with .txt - Notepad opens in my case (i'm using Word 2003).

Also, if you select something in Word and drag-and-drop it to a folder, a 'Scrap' file will be created with a hidden extension (.shs). This is one of the examples of ActiveDocument container dangers - .shs file may contain any ActiveDocument content.
Another way to exploit the ActiveDocument vector is to use Insert->Object...->Word Document command in PowerPoint, Excel, and even Wordpad :)

So, even explicitly opening RTF's in WordPad is not perfectly safe.

Re:Another day, another misfeature.

[dsci]

So the "design specs" you are referring to are non-existent, or simply say "make it compatible with the way the world has been doing things forever".

But the Unix world, which predates both Windows and MS-DOS, has NOT done it this way - EVER. This is the difference between an OS designed for true industrial use and one that is a bolt-on to a single user, mostly trusted environment system. Therefore, it IS a design problem. And it WILL be hard to fix.

Re:Another day, another misfeature.

[toadlife]

"But the Unix world, which predates both Windows and MS-DOS, has NOT done it this way - EVER Is that supposed to be a joke or troll? If not, spare the world your revisionist history.

This is the difference between an OS designed for true industrial use and one that is a bolt-on to a single user, mostly trusted environment system. UNIX was designed so some bored programmer at Bell Labs could play his favorite game, "space command". It was an unstable, insecure piece of junk for the first several years of it's existence.

"Therefore, it IS a design problem. And it WILL be hard to fix."

And UNIX people know this, as it took decades to fix their OS.

Re:Another day, another misfeature.

[dsci]

And UNIX people know this, as it took decades to fix their OS.

Speaking specifically about using file extensions, I think 'decades' is a little strong.

From Wikipedia's FILE entry:

The original version of file originated in Unix Research Version 4 in 1973 ... file's position-sensitive tests are normally implemented by matching various locations within the file against a textual database of magic numbers (see the Usage section). This differs from other simpler methods such as file extensions and schemes like MIME.

Even if you happen to believe that the real improvements to file were not made until System V, that was 1983...so not decadeS, but decade.

So no, not a troll and not revisionist. You make it sound like Unix was not usable until the 1990's.

Re:Another day, another misfeature.

[toadlife]

OK perhaps I embellished a bit. But the point of my reply was to call you on your assertion that UNIX doesn't do things the way it does because it's "the way they did it before".

Doing things because "that's how it's always been done" is *the* UNIX way.

Re:Another day, another misfeature.

[makomk]

While you definitely should not rely on extension filtering, if a Word document has a completely random extension, it will not open with Word by default. However, since Word classic .doc format is based on ActiveDocument and OLE Compound Storage format, you can embed Word content into quite a lot of files.
So, opening any OLE Compound Document by an application supporting Active Document (including Word itself) could be dangerous.

However, double-clicking on document.qwer is actually harmless, unless you choose Microsoft Word when prompted to select an application.

Last time I tried this, that wasn't the case - as long as it wasn't a recognised file extension, Windows would quite happily open it in Word. That was a while back, though (Windows 98SE), so it might've changed since then.

Re:Another day, another misfeature.

Even if you happen to believe that the real improvements to file were not made until System V, that was 1983...so not decadeS, but decade.

umm.. what year are you living in?
Decade = 10 years
2006 - 1983 = 23 years
23 years > 10 years
Decades or a score + 3

Re:Another day, another misfeature.

[dsci]

File was introduced in 1973 and was markedly improved in 1983. That's 10 years or one decade. How does 2006 enter into this discussion?

Ad on site

[Joe+The+Dragon]

there is add for TechNet Security Center on that page
http://www.microsoft.com/technet/security/default. mspx

Its a feature

[Lithdren]

Fairly alarming that a simple document meant to basically contain text, can launch code on an OS.

How long before someone turns this into an actual feature? Open an attachment in an Email, and launch an app to install something on the machine imbedded in the email itself? I could almost see this as usefull in a business atmosphere.

Just dont sign me up to work in their IT department. Oh god the horror that could (would) cause.

Re:Its a feature

[geekoid]

"How long before someone turns this into an actual feature?"

About 12 years ago.

Re:Its a feature

[SpaceLifeForm]

I'm pretty sure these exploitable holes weren't
stable until 98se.

Re:Its a feature

[thewils]

Fairly alarming that a simple document meant to basically contain text, can launch code on an OS.

Certainly is.
Brought to you by the company that allows embedding URLs in digital media.

Re:Its a feature

[flyingfsck]

MS Outlook has had that feature since day one.

Re:Its a feature

It comes from MS using serialize to store the objects data.

Whereas unix tends to worry about data formats, MS found
it quicker to just dump the objects state.

This means Word bloats out by having to be able to load
objects from different versions.

And the code tends to assume that call jumps may
be valid.

Re:Its a feature

[AzsxQuii]

Heck I remember when pre office 97 you could add a page break on the header (or footer) of a page. Preview the document and watch the page # increase until you ran out of memory and Word crashed. One of the first things I checked, to see if it was corrected, when I got a hold of office 97. LOL.

Pointers in documents?

[goombah99]

Microsoft Word malformed pointer vulnerability

Overview

A vulnerability in Microsoft Word could allow an attacker to compromise a vulnerable system.

I. Description

Data used by Microsoft Word to construct a destination address for a memory copy routine is embedded within a Word document itself. If an attacker constructs a Word document with a specially crafted value used to build this destination address, then that attacker may be able to overwrite arbitrary memory. An attacker could trigger this vulnerability by convincing a user to open a specially crafted Word document.

Holy smokes bat man. How on earth is a pointer value being stored in the data? Would not a pointer be some aspect of the memory allocation of the program itself and have nothing to do with the document??? Someone please explain.

Re:Pointers in documents?

[corsec67]

The Word document is similar to a core dump of Word.exe.

Re:Third Microsoft Word Code Execution Exploit Pos

[__aaclcg7560]

I did. My brain went blue screen and shut down. My attorney will be in touch.

Eheheh

[nnn0]

but what can you do with a box running that crap ? :D

OO.ORG has the same problem....

....

ooffice2 69-crasgtest.doc /usr/lib/openoffice/program/soffice: line 236: 12793 Segmentation fault "$sd_prog/$sd_binary" "$@"

Enough said...

Re:OO.ORG has the same problem....

[newt0311]

damn. you are right. wonder why its present in both systems though? do they just both suck in terms of code quality -- Not ver hard to believe.

Kinda limits Word's functionality, dontcha think?

[kbob88]

Microsoft suggests that users "do not open or save Word files,"

I really like this quote! That kind of limits the functionality of a word processor if you can't open or save files, right?

What exactly does Microsoft suggest that I do with Word files? Besides using them to fragment my hard-disk? Maybe I can burn them to keep warm in the winter... um, no.

Or perhaps I'll just use Word to create and save HTML files!!

Suddenly, up pops: Hackie

"I see that you are trying to craft an exploit. Would you like me to assist?"

Re:Suddenly, up pops: Hackie

[John+Sokol]

Oh, sh*t I love it. Someone needs to really implement this....

Only Question

So, the only question is, when will OpenOffice finally support this new feature?

Re:Kinda limits Word's functionality, dontcha thin

[Shados]

Read them straight off the hard disk with your bare eyes. Obviously.

Not only that...

[bogaboga]

I totally agree with your contribution. But in my case, my dad found OpenOffice to be just ugly! "The icons are too big," he complained. Even after making them "smaller" the whole interface remained "ugly."

• Then we have the long time it takes to load.

• Heck even saving a simple document tales a long time.

• The Gnome or GTK file dialog did not help matters at all. He found that he could not paste an HTTP link into this file dialog to have OpenOffice open the referenced file. In other words a file to be opened MUST exist on the local or mounted file system.

• Its help system seemed incomplete!

• There did not exist a credible alternative to Microsoft Access. The integrated database application is not friendly at all and leaves a lot to be desired.

The whole suite feels heavy to a user with an average system. Sadly, I agree with him. OpenOffice really needs more love. It's one thing to make a free office suite available but it's another to actually get users to use it.

It's my hope that the developers will see this and create a suite that people can use. Most of them have used Word-Perfect or Microsoft Office and should not find it hard to see what we are talking about.

Re:Not only that...

[twistedcubic]

I think one drawback is that many people who use free software in their professional lives use tools that are far superior to MS Word for writing documents, and these people never test OO.org and thus never give positive feedback to OO.org developers. When you know for certain that MS Word is useless for your endeavors, any app attempting to replace it will be considered really useless. I think people are mistaken when they claim OO.org will be the magic bullet that thrusts free software into the mainstream. Firefox already did it. But I think Gnumeric and Abiword have a much better chance than OO.org.

Re:Not only that...

[IronTeardrop]

But in my case, my dad found OpenOffice to be just ugly! "The icons are too big," he complained. Even after making them "smaller" the whole interface remained "ugly."

Your Dad needs to choose between paying for MS Office and all that comes with it or accepting the free OpenOffice without impotent complaints about its "ugliness". Either shut up and enjoy the free software or contribute to the Open Source community by pointing out exactly what needs to be improved. Try writing some help documentation.

The Gnome or GTK file dialog did not help matters at all. He found that he could not paste an HTTP link into this file dialog to have OpenOffice open the referenced file. In other words a file to be opened MUST exist on the local or mounted file system.

So your Dad makes extensive use of opening URLs on foreign systems instead of local files? 1) can this even be done with MS Office's File Open dialog, and 2) who does this?

Its help system seemed incomplete!

Then help to complete it!

There did not exist a credible alternative to Microsoft Access. The integrated database application is not friendly at all and leaves a lot to be desired.

MS Access isn't included in MS Office Standard anyway. If your Dad is such a database maven, look into other tools. Just out of interest, did your Dad pay for MS Office Professional in the first place?

Your {Dad's} complaints ring hollow.

Re:Not only that...

[Z34107]

Its help system seemed incomplete! Then help to complete it! [...] Your {Dad's} complaints ring hollow.

I wonder what would happen if Microsoft expected it's users to write their own help files.

Especially when a user who needs the help file will not be able to write it. (If he already knew what he was looking for, why would he be looking it up in help to begin with?)

Your Dad needs to choose between paying for MS Office and all that comes with it or accepting the free OpenOffice without impotent complaints about its "ugliness".

He did. He chose Microsoft Office. Do you seriously expect everyone who just wants to use a word processor to join the OSS community and start churning out bug reports?

Re:Not only that...

Your Dad needs to choose between paying for MS Office and all that comes with it or accepting the free OpenOffice without impotent complaints about its "ugliness".

He did. He chose Office. That OK with you?

Re:Not only that...

Are you retarded? These are legitimate user complaints. Until the linux community gets off its collective high horse and realizes that not everybody is a computer scientist, it'll never get anywhere. Most users are LAZY, and they want to use a program, not fucking write it.

who downloads attachments from unknowns anyway

[ZahnRosen]

This goes under the category of basic internet security. Don't open files from people you don't know. And if you do get a wierd file from someone you don't know stop and think for 10 seconds about it before you open it. Or, buy a mac.

Re:who downloads attachments from unknowns anyway

exactly, if you do that you'll be fine... unless you do something stupid like run word with sudo.

Re:who downloads attachments from unknowns anyway

[Beryllium+Sphere(tm)]

Network World reports that the exploit is being used in targeted attacks, for which the source and subject line could be made to appear plausible. If the spoofed From line is one of your coworkers's addresses, and the subject is something of current interest in the company, it would be easy to get fooled.

How will buying a Mac help unless the team that coding Office for the Mac was much more security-conscious than the team that coded Office for Windows? The one thing that Mac has going for it is a good implementation of unprivileged accounts, but OS X has had plenty of privilege escalation bugs, and there's plenty of stuff in $HOME that you wouldn't want disclosed or damaged.

Re:who downloads attachments from unknowns anyway

[TheLink]

Uh, a dangerous file is still a dangerous file whether it comes from a stranger or someone you know. It's not like you can only catch diseases from strangers ;).

Macs are not more secure by design, so if everyone bought a mac, their computers would be worm infested spam spreading zombies in no time. If you are a Mac user and you want to be safe, stay a minority.

A safe way to open a suspicious file is to use a different pristine machine and reimage that machine after that. Virtual machines might be ok but there is still a chance of "breaking out" if there's a bug in the virtualization system.

Underneath the radar

[Vengeance_au]

Biggest problem with this sort of exploit, is it gets under the radar of people who actually know not to open executables etc that are sent to them - but a document? Unless they are aware of this emploit being "out there" people will recieve an email with "teh funny.doc", "invite to my birthday.doc" or "pics of brittany + paris.doc" and double click without thinking. Boom - instant zombie machine.

So all those family, friends and colleagues who you've (finally) trained not to open funny.exe or funny.scr are all vulnerable to this little beauty.

Anyone remember milw0rm?

[__aaijsn7246]

http://en.wikipedia.org/wiki/Milw0rm

milw0rm is a group of "hacktivists" best known for penetrating the computers of the Bhabha Atomic Research Centre (BARC) in Bombay, the primary nuclear research facility of India, on June 3, 1998. The attack generated heated debate on the security of information in a world prevalent with countries developing nuclear weapons, the ethics of "hacker activists" or "hacktivists," and the importance of advanced security measures in a modern world filled with teenagers willing and able to break into insecure international websites.

Re:Anyone remember milw0rm?

[Frosty+Piss]

From the same Wikipedia article References section:

( www.milw0rm.com ) Security site ran by no former milw0rm members

My favorite word processor is immune

[davidwr]

Upside:

Familar user interface
Fast
Cheap
WYSIWYG

Downsides:

Replacing blocks of text with larger-sized blocks of text difficult to impossible.
Cut-and-paste is messy, literally.
No automated search.

My Word Processor

Re:My favorite word processor is immune

[newt0311]

emacs + LaTeX + pdfLaTeX + tex4ht (when it finally owrks properly) FTW.

Re:My favorite word processor is immune

[SnarfQuest]

I've tried using that, but everyone always complained that my messages were corrupted and unreadable.

Goddamn it

[spellraiser]

From TFA:

"Data used by Microsoft Word to construct a destination address for a memory copy routine is embedded within a Word document itself. If an attacker constructs a Word document with a specially crafted value used to build this destination address, then that attacker may be able to overwrite arbitrary memory," the US-CERT warned.

So yet again it's a case of embedded code within a data file wreaking havoc. And as already been reported in comments here, this vulnerability also exists in OO.org.

Seeing this kind of thing always blows my mind. I would be greatly interested in hearing the rationale behind the decision to incorporate this feature. What the hell did they need that for?

Re:Goddamn it

[SpaceLifeForm]

So they can spy on the user. If the holes are there by design,
it would make sense there are other holes that have yet to
be discovered.

Re:Goddamn it

[Beryllium+Sphere(tm)]

>Data used by Microsoft Word to construct a destination address for a memory copy routine

I can't wait to find out what this means. Every file format that creates data structures has "data used ... to construct a destination address", in an indirect sense.

Re:Goddamn it

And as already been reported in comments here, this vulnerability also exists in OO.org.

Sure sure, but the burning question on our minds is what about catdoc?

Re:Goddamn it

[cachimaster]

I dont want to make you mad, but your rant is based mostly on ignorace. I beleived the same about these bugs, but about a year ago I learnt about buffers overflows. There is no need for the data and code to be purposely embedded. There is no "feature" of putting code inside the file, but the exploit is just that: Executing bytes that were supposed to be data.

Re:Goddamn it

[cascadingstylesheet]

>So yet again it's a case of embedded code within a data
>file wreaking havoc.
>...
>What the hell did they need that for?

I don't know about the new XML-ish version, but the old DOC
"format" was basically a Word memory dump. Not
quite as surprising when you think of it that way ...

I smell a rat

[gx5000]

Why all these exploits now with applications that have been around for over seven years ??!!
I mean if the latest version of word had a newly discovered bug, ok...move along, nothing to see here...
But an exploit that can affect all three version of word (2000, 2002,2003)??!!
Oh sorry, up to three now aren't we....in the same month....

I smell a rat...
And I'll notice the Tail when Word 2007 is declared void of these exploits..
Call me paranoid, but at least just call me...
I'm glad I no longer work as MS Phone Support....

Cheers

Re:I smell a rat

[Tetch]

Why all these exploits now with applications that have been around for over seven years ?

It's generally reckoned to be a result of the actual base operating system becoming finally, belatedly, somewhat secure ..... [ouch .. don't all hit me at once .. okay, okay - "heavily scrutinized and as patched as a patchwork quilt"] ... so by comparison it's now easier to target (i.e. find holes in) the application set that 90% of Windows users have installed. People didn't bother very much even looking for holes in Office before now, it was just so easy to find them in Windows itself. That's what I've read, anyway

Note there's no let up in the stream of Internet Explorer holes and patches - that's still just as big a p-o-s as ever - but the RPC-DCOM bug-of-the-month supply seems to have dried up for now.

well then

[williamstome]

well then it's a good thing I don't download word documents ever :P

"popular"?? (n/t)

[toby]

n/t

Not an Exploit - Gurenteeing Upgrades!

[clark0r]

At last! A reason to tell my IT department to fork out the money for upgrades to Office 2007 when it comes out due to it's "security". If they use the same line that the UK government does to sell ID cards, biometric passports, "it's safer", MS are sure to make more cash!

So sad

I run MS Word under Crossover Office so I can't see what the exploit is supposed to do:(

I don't have "tagging rights" yet

[Krigl]

So would somebody be so kind to tag it as "yawn" instead of me? Thanks in advance. Maybe it would be useful to make a section "Holes and malware", put Microsoft in a front of it, create columns for each of its products and just adding crosses (dots, lines, whatever) for every new one. Dangerous ones could be red and clickthrough to Secunia or MS security page.

What if Word is the default email editor...

[Panaqqa]

as is the case on many machines out there.

I wonder if a properly crafted email could launch this one simply by clicking "Reply". Insights, anyone?

abi-word, ooo

[Lehk228]

abiword opens it as a blank file with a funny page dimension

Openoffice complains about not enough memory to open the file and doesn't even try to open it

Even OOo v2 doesn't interoperate with itself! wtf?

[KWTm]

Good luck trying to get pixel-perfect interoperability between MS Word and OOo. I can't even get OOo to interoperate with itself.

I was using OOo on my Linux (Kubuntu) system to make a Christmas card, embedding a picture and positioning the text so that I can print it out and then fold it into a Christmas card. But I don't have a printer hooked up, so I had to move it to OOo on my wife's Windows (2000) box to print it. But the text had mysteriously resized itself so that it no longer fit properly and spilled out off the page.

WTF!?? Both the Linux and the MS Win box use OOo v2, with the OpenDocument format. (I ended up having to export to PDF.)

This OOo is getting to be quite a kludge. I can't wait for them to go the Mozilla route and toss out the entire codebase, rewriting the whole thing from scratch.

Re:Kinda limits Word's functionality, dontcha thin

Microsoft suggests that users "do not open or save Word files,"

I really like this quote! That kind of limits the functionality of a word processor if you can't open or save files, right?

What exactly does Microsoft suggest that I do with Word files? Besides using them to fragment my hard-disk? Maybe I can burn them to keep warm in the winter... um, no.

Wordpad opens .doc files just fine.

Gee, I wonder why nobody designs exploits for MICROSOFT Wordpad or Notepad? Hmmm, I wonder? These are the two text editors I use the most, yet there are never any exploits for them and the are both microsoft products. (Also, I have yet to see an exploit for MS-DOS edit or XyWrite for DOS)

I'm sure with a little effort I could construct text files that will crash vi/vim. What's the big deal? So someone has a hate on for Microsoft and has too much time on their hands to spend on creating exploits for MS Word. Whoopee doo! I'l get back to work on my windows system, unaffected by this as with every other "Microsoft security hole".

And don't say WordPerfect or OpenOffice, those pigs are just as bad as MS Word, I'll stick to notepad, wordpad, ped and vim thanks. (Though I'm sure I can construct files to crash any of them, in fact I'm sure I can construct files to crash any application on any platform - who the fuck really cares?)

C++

[Z34107]

Uh if that happens then the language used is obviously unsafe.

The language isn't "unsafe" - it just lets you do some very, very nifty stuff that noobtard programmers are better off leaving alone.

C++ has perfectly "safe" features - the Standard Template Library has container classes like strings and vectors that won't overflow no matter how careless you are.

For those who insist on going down to the byte level and concatenating their strings themselves, Microsoft included "safe" versions of these functions in Visual Studio 2005, and will compile with warnings if you use the dangerous, buffer-overrun-producing variants.

Why should potentially arbitrary code be executed because a program tries to put data somewhere it won't fit?

Because a hacker's input and a programmer's overconfidence in his manual input validation (or lack thereof) put the hacker's code over the program itself. It fit just fine where the still-running program used to be.

This can happen in any language - C++ programmers are simply notoriously bad at input validation.

Why is it executable anyway!?

[VanessaE]

This thread begs the question: Why the hell does a program even read data into memory in such a way as to allow code found therein to be executeable in the first place?

Why can't text documents be filtered when they're loaded? Grossly oversimplifying the idea here, but can't you just run the document through some simple sequential reading routine, strip out what isn't text, and then finally store what remains into memory a byte/word at a time? And set that memory range as non-executeable (don't modern MMU's/CPU's do this?) before you start loading.

And if the document did contain invalid data, warn the user that the document is corrupt (or some other equally non-threatening term that implies an invalid but possibly displayable file) and offer them a chance to discard what was loaded. Sure everyone will just hit the "Continue Loading" button anyway, but that's ok - the document has already been filtered. All that's left, ideally, is good old-fashioned 7-bit ASCII text.

Yes it would be slower that using some sort of kernel block-load function, but it would also be safe. I don't know how you'd go about handling Unicode or stuff like UTF-8 (maybe translation tables?), but surely someone could figure out a similar solution.

I recognise the need to allocate memory before loading a document, and I don't see that being a problem with a filtering scheme.. sure, there would be some wasted memory should the document end up shorter once it's loaded (because something was filtered out), but who cares? We're only talking a few hundred K tops, probably far less (I'm not a virus/exploit coder, so I don't track stuff like that).

As for mixed-content documents like text+images, there's nothing that says you have to only have one filter that's good on the text portions - use additional filters to constrain the data being stored to valid images/sounds/whatever in addition to text.

Binary formats like MS .DOC? Well...tough one there, you'd probably have to interpret the document as it's being loaded, into something reasonably non-dangerous like XML or something, throwing out whatever you run into that's not valid data for that format.

Re:Why is it executable anyway!?

[fostware]

OLE, DDE, etc...

People's pretty WordArt wouldn't work otherwise

Wait until you see how Publisher files are constructed - AFAICR each text box is a mini Publisher OLE object and let's not start on the picture boxes

I feel sick just thinking about it :S

big bucks

[zakeria]

I paid for downloading office the hard way!!

In fact...

In fact, pushdown automatons ARE Turing-Complete, so EMACS is not that better :P

* ducks *

Re:Third Microsoft Word Code Execution Exploit Pos

[LarsWestergren]

Aha, so you have found thee nam-shub of Enki. Please inform the cult of Asherah.

Well, Symantec Antivirus caught it....

[kenblakely]

....and quarantined the .doc demonstration file. Not much of a zero-day exploit....

Does NX work around the bug?

[Myria]

Does NX cause Word to crash instead of run a worm with this exploit?

Melissa

Unbelievable

[AftanGustur]

"Data used by Microsoft Word to construct a destination address for a memory copy routine is embedded within a Word document itself."

If this is a standard practice at Microsoft, I'm beginning to understand why they are so relunctant to publish their protocols and standards.

Zealot alert!

[MicrosoftRepresentit]

Fucking hell, man...if your attitude is anything to go by, no wonder the majority of open source software sucks in comparison to commercially produced alternatives. You have to understand that the vast majority of people use computers to *get things done*, and when they're not getting things done they want to have fun. Fixing other peoples bugs, implementing missing functionality and writing their documentation doesn't fit into this equation, which is why most people are willing to pay for (ok, often pirate) commercial software. "put up with the shitness or fix it yourself" is an appalling attitude, but it seems to be what you're saying.

Re:Even OOo v2 doesn't interoperate with itself! w

[ThePhilips]

+100. I've been there too. Forget about simultaneously editing document on more than two computers. (In fact same goes for M$O - though overall compatibility/portability is much better.)

I would love it just to work, but at moment PDF export is only way to have portable (in read-only sense) document.

MS World versus Google Earth ...

who else read 'world' in the title?

Third Microsoft World Code Execution Exploit Posted sort of the Microsoft approach to Google Earth...

Also affects google docs

Guys, also crashed Google docs :)
try to upload the file to google docs and you'll see a Server Error

http://www.milw0rm.com/sploits/12122006-djtest.doc

Tagging

[shadowmas]

Why is there both a bugs and a Microsoft tag on this article? isn't it rather redundant having both tags?

Easy fix, rewrite the exploits to bypass DRM

Given Microsoft's apparent priorities. Someone could take all three Word exploits from the wild. Then rewrite them to bypass/disable Windows Media Player DRM. That would get Microsoft's attention. Do that and Microsoft will have a fix in only a little more time than it takes open source to make a fix!

Re:Third Microsoft Word Code Execution Exploit Pos

[Apocalypse111]

Behold, the dangers of Microsoft wetware.

Why I hate MS

[nova20]

A few reasons:

1) $300+ for the operating system and license. OS X Tiger is $129 for a single license, and Linux is free. If you buy Windows, MS Office, VS .NET, and a few other apps you've already spent $1,000 on that new computer you were going to build... and you don't have any parts yet.

2) Proprietary formats -- like WMV's and .NET applications. They only run (reliably) on windows.

3) Security issues. IE will probably *always* be a security risk because it is tied to the OS so deeply. MS releases so many patches to their operating system because it was poorly (and insecurely) written.

4) Internet Explorer -- Not just because of security issues. When I install windows, I have a piece of software installed that I can't uninstall, and that so many applications rely on. Its HTML rendering isn't up to W3C specs, which forces web authors to "hack" for their pages to display properly.

Bugdot?

[asylumx]

Thanks for the info.... when did you go live as Microsoft's bug database?

Seriously, this isn't "stuff that matters"... If it is, why don't you post open source bugs every time they are discovered? Are you saying open source doesn't matter?

OOo devs sometimes woefully out of touch...

[zooblethorpe]

It's my hope that the developers will see this and create a suite that people can use. Most of them have used Word-Perfect or Microsoft Office and should not find it hard to see what we are talking about. (emphasis mine)

I'd like to agree with you, but my experience from following a number of bugs suggests otherwise. All of these are quite old, and prevent OOo from being much more useful than it presently is. Take the word-count issue, for instance: just about everyone I can think of that makes a living by writing absolutely fucking requires an accurate word count, configurable for different counts -- such as only the selected text, all text minus footnotes, all text everywhere in the document. And yet OOo does not seem to provide this. How blooming difficult can this be?

Chinese, Japanese, and Korean (CJK) support in this area is completely non-existent. OOo is aware of double-byteness at some level, so why can't it discern CJK text from other types? Take the seventh paragraph from this page in Chinese as a good example. OOo seems to think the text has 7 "words" and 60 "characters". WTF is a "word" in this context? If I were to stretch the rules and actually count the Chinese words, I'd get something like 26, not 7. Hmm. But then, Chinese writers don't count words, they count characters (not including spaces). But then, OOo's "character" count is also useless in this regard, as we can't tell if this 60 "characters" includes spaces or not. Moreover, a lot of editors insist on having the Chinese character count and European word count -- this sample text includes two English words, so 60 "characters" here is beyond useless. AFIACT, no one dealing with CJK languages can use OOo exclusively for their business needs. And given a potential Chinese userbase of around a billion, that's a glaring shortfall.

Given that all of the bugs linked to above are easily handled by MSO (and if memory serves by WP), and that they have been languishing in OOo's bug tracker system for several years, I can only conclude that OOo devs either just don't give a shit, or that they are woefully ignorant of the competition's capabilities. I suspect it's a combination of the two -- coding this kind of functionality just isn't as sexy or fun as some of the other stuff, and so it's allowed to linger. And if this tendency continues (which is looking more and more likely as time passes), OOo will whither on the vine.

Forgive me, I am actually a bit bitter about this. I haven't the coding skills (nor time to acquire such skills) to help, or I'd just fix these damn issues myself. OOo is so close to useful. "OOo -- It's almost a good idea!" (TM) And therein lies some very intense frustration on the part of the OOo would-be userbase. Ah, well...

language clue: ubiquitous != popular (n/t)

[toby]

no/t

stuck twiddling our thumbs...

[Md525]

It seems as though we are supposed to stop business it is preposterous for many offices to be told not to open any word files. I know that there are other word processing programs and notepad, but ask yourself this: "does your company respond fast to technological changes?". Its simple there are some people in the company who will not be able to make a drastic change very quickly. You can however send an email to a friend call to confirm that the email is legit and not a bot sent version. But that removes the conveniences of email in itself. I wrote a blog post (http://www.iwantmyess.com/) about how you can circumvent the calling in confirmation. Michael