Slashdot Mirror

← Back to Stories (view on slashdot.org)

Third Microsoft Word Code Execution Exploit Posted

Posted by CowboyNeal on from the doors-wide-open dept.

gregleimbeck writes "Exploit code for a third, unpatched vulnerability in Microsoft Word has been posted on the Internet, adding to the software maker's struggles to keep up with gaping holes in its popular word processing program. The attack code, available at Milw0rm.com, contains sample Word documents that have been rigged to launch code execution exploits when the file is opened."

10 of 174 comments (clear)

  1. This appears to affect OpenOffice 2.0.4? by Rupan · · Score: 5, Interesting

    I tried to open the PoC with OpenOffice 2.0.4 and it crashed. Can someone confirm?

    ooffice2 12122006-djtest.doc /usr/lib/openoffice/program/soffice: line 236: 12793 Segmentation fault "$sd_prog/$sd_binary" "$@"

    This may not be a code execution bug; I'll try to trace it with gdb to see what happens.

    --
    Ads? What ads?
    1. Re:This appears to affect OpenOffice 2.0.4? by phunster · · Score: 2, Interesting

      It crashed OO 2.1 here

    2. Re:This appears to affect OpenOffice 2.0.4? by Rupan · · Score: 3, Interesting

      This is actually quite scary considering the size of Office documents. Store the executable code embedded in the metadata where user-supplied text would normally exist, using a nop slide of several kilobytes at the start. You have at least 26 kilobytes after all... imagine what could be done with 10k of executable code.

      --
      Ads? What ads?
  2. Re:Wait, who still uses M$ 0ffice? by Vengeance_au · · Score: 5, Interesting

    We use both Microsoft Office and OpenOffice in our company. OO is for all internal documents, and Microsoft Office is used for external client work - purely for interoperability with corporate / government clients. Open Office can save into Microsoft Office format, but there are invariably subtle differences in the final layout - and that is just plain unacceptable.

    In the past 12 months a few clients have started using OO and we now share OO documents with them - but they are by far the minority. Hopefully the new "Open" format Microsoft is coming out with will break the barrier down, and allow pixel-perfect interoperability, but until then it is very difficult to operate in a corperate world without the "de-facto" Microsoft Office standard.

  3. Underneath the radar by Vengeance_au · · Score: 2, Interesting

    Biggest problem with this sort of exploit, is it gets under the radar of people who actually know not to open executables etc that are sent to them - but a document? Unless they are aware of this emploit being "out there" people will recieve an email with "teh funny.doc", "invite to my birthday.doc" or "pics of brittany + paris.doc" and double click without thinking. Boom - instant zombie machine.

    So all those family, friends and colleagues who you've (finally) trained not to open funny.exe or funny.scr are all vulnerable to this little beauty.

  4. My favorite word processor is immune by davidwr · · Score: 2, Interesting

    Upside:

    Familar user interface
    Fast
    Cheap
    WYSIWYG

    Downsides:

    Replacing blocks of text with larger-sized blocks of text difficult to impossible.
    Cut-and-paste is messy, literally.
    No automated search.

    My Word Processor

    --
    Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
  5. Goddamn it by spellraiser · · Score: 3, Interesting

    From TFA:

    "Data used by Microsoft Word to construct a destination address for a memory copy routine is embedded within a Word document itself. If an attacker constructs a Word document with a specially crafted value used to build this destination address, then that attacker may be able to overwrite arbitrary memory," the US-CERT warned.

    So yet again it's a case of embedded code within a data file wreaking havoc. And as already been reported in comments here, this vulnerability also exists in OO.org.

    Seeing this kind of thing always blows my mind. I would be greatly interested in hearing the rationale behind the decision to incorporate this feature. What the hell did they need that for?

    --
    I hear there's rumors on the Slashdots
    1. Re:Goddamn it by cascadingstylesheet · · Score: 3, Interesting

      >So yet again it's a case of embedded code within a data
      >file wreaking havoc.
      >...
      >What the hell did they need that for?

      I don't know about the new XML-ish version, but the old DOC
      "format" was basically a Word memory dump. Not
      quite as surprising when you think of it that way ...

  6. Re:Not only that... by twistedcubic · · Score: 2, Interesting

    I think one drawback is that many people who use free software in their professional lives use tools that are far superior to MS Word for writing documents, and these people never test OO.org and thus never give positive feedback to OO.org developers. When you know for certain that MS Word is useless for your endeavors, any app attempting to replace it will be considered really useless. I think people are mistaken when they claim OO.org will be the magic bullet that thrusts free software into the mainstream. Firefox already did it. But I think Gnumeric and Abiword have a much better chance than OO.org.

  7. What if Word is the default email editor... by Panaqqa · · Score: 2, Interesting

    as is the case on many machines out there.

    I wonder if a properly crafted email could launch this one simply by clicking "Reply". Insights, anyone?