Slashdot Mirror
Third Microsoft Word Code Execution Exploit Posted
gregleimbeck writes "Exploit code for a third, unpatched vulnerability in Microsoft Word has been posted on the Internet, adding to the software maker's struggles to keep up with gaping holes in its popular word processing program.
The attack code, available at Milw0rm.com, contains sample Word documents that have been rigged to launch code execution exploits when the file is opened."
I always suspected that Microsoft Word was Turing-complete.
I tried to open the PoC with OpenOffice 2.0.4 and it crashed. Can someone confirm?
/usr/lib/openoffice/program/soffice: line 236: 12793 Segmentation fault "$sd_prog/$sd_binary" "$@"
ooffice2 12122006-djtest.doc
This may not be a code execution bug; I'll try to trace it with gdb to see what happens.
Ads? What ads?
I did. My brain went blue screen and shut down. My attorney will be in touch.
What exactly does Microsoft suggest that I do with Word files? Besides using them to fragment my hard-disk? Maybe I can burn them to keep warm in the winter... um, no.
Or perhaps I'll just use Word to create and save HTML files!!
I tried switching my dad to Open Office when we couldn't find the MS Office CD - he immediately complained that the small fonts he was using in his spreadsheets (less than 8 points) didn't render nicely in OO compared to Excel, so he went and bought a copy of Office 2003.
Little things like that count for a lot. OO might be more secure than MS Office, but it's terrible quality software in user-visible ways (i.e. it's ugly, slow and bloated). These things count to people. Little problems can't just be overlooked because it's free. My dad could pick it apart within minutes, and he doesn't normally care about software at all. He didn't care about paying for Office either, in fact he didn't think twice about it.
That's why. Nothing to do with TCO, Microsoft being evil, security, monopoly or anything else. OpenOffice just isn't very good in the ways that count to regular users.
"I see that you are trying to craft an exploit. Would you like me to assist?"
We use both Microsoft Office and OpenOffice in our company. OO is for all internal documents, and Microsoft Office is used for external client work - purely for interoperability with corporate / government clients. Open Office can save into Microsoft Office format, but there are invariably subtle differences in the final layout - and that is just plain unacceptable.
In the past 12 months a few clients have started using OO and we now share OO documents with them - but they are by far the minority. Hopefully the new "Open" format Microsoft is coming out with will break the barrier down, and allow pixel-perfect interoperability, but until then it is very difficult to operate in a corperate world without the "de-facto" Microsoft Office standard.
If you knew enough to download it for him you should have known enough to turn on antialiasing for font sizes 8 and lower in the options menu.
And if you knew end-users enough to comment on them, you should have known enough that end-users won't know how to turn this on.
See, software shouldn't "get in the way" of what you're trying to do.
I have no problem with your religion until you decide it's reason to deprive others of the truth.
This goes under the category of basic internet security. Don't open files from people you don't know. And if you do get a wierd file from someone you don't know stop and think for 10 seconds about it before you open it. Or, buy a mac.
Biggest problem with this sort of exploit, is it gets under the radar of people who actually know not to open executables etc that are sent to them - but a document? Unless they are aware of this emploit being "out there" people will recieve an email with "teh funny.doc", "invite to my birthday.doc" or "pics of brittany + paris.doc" and double click without thinking. Boom - instant zombie machine.
So all those family, friends and colleagues who you've (finally) trained not to open funny.exe or funny.scr are all vulnerable to this little beauty.
http://en.wikipedia.org/wiki/Milw0rm
milw0rm is a group of "hacktivists" best known for penetrating the computers of the Bhabha Atomic Research Centre (BARC) in Bombay, the primary nuclear research facility of India, on June 3, 1998. The attack generated heated debate on the security of information in a world prevalent with countries developing nuclear weapons, the ethics of "hacker activists" or "hacktivists," and the importance of advanced security measures in a modern world filled with teenagers willing and able to break into insecure international websites.
Upside:
Familar user interface
Fast
Cheap
WYSIWYG
Downsides:
Replacing blocks of text with larger-sized blocks of text difficult to impossible.
Cut-and-paste is messy, literally.
No automated search.
My Word Processor
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
From TFA:
So yet again it's a case of embedded code within a data file wreaking havoc. And as already been reported in comments here, this vulnerability also exists in OO.org.
Seeing this kind of thing always blows my mind. I would be greatly interested in hearing the rationale behind the decision to incorporate this feature. What the hell did they need that for?
I hear there's rumors on the Slashdots
But seriously, why would anyone use anything M$ when there are non-stop bugs and security holes. Open Office / Google Writely anyone?
(Insert random application name here) with vulnerability running as root is the problem. MS Word hole only amplifies it because it's widely used. But the problem is that everyone and their dog is running Windows as administrator.
To the contrary, OpenOffice requires significantly more hardware resources to run than usable versions of MS Office. I have run Office 2000 in a usable state on an old '486 laptop with 40M of ram.
Open Office is unusable on such a machine. It's probably 'coded better' with C++ and what-not, creating bloated structures and resource piggishness. There is probably an old version of StarOffice that would run fine on the '486, but the notion that OpenOffice is magically 'less of a load on the machine' is just wrong.
I think one drawback is that many people who use free software in their professional lives use tools that are far superior to MS Word for writing documents, and these people never test OO.org and thus never give positive feedback to OO.org developers. When you know for certain that MS Word is useless for your endeavors, any app attempting to replace it will be considered really useless. I think people are mistaken when they claim OO.org will be the magic bullet that thrusts free software into the mainstream. Firefox already did it. But I think Gnumeric and Abiword have a much better chance than OO.org.
OOo is nice because it is free. It is however the most bloated piece of software that I have seen in terms of resource consumption including MS products. True non-bloatedness comes with emacs+LaTeX. Now there are things which do not take up any significant resources (until they are done reading my 33K startup .emacs file and increasing buffer and undo limits to ungodly levels that is.).
as is the case on many machines out there.
I wonder if a properly crafted email could launch this one simply by clicking "Reply". Insights, anyone?
If you want more of your clients to change to OO, just run "strings" on their .doc files and email them the parts that came from other documents. That should be enough to get them to change their minds about it.
(For the uninitiated, As you edit a document in MS Word, it picks up bits of other documents you have open at the time or even previously opened. This is because it doesn't clear memory before using it, and the fast-save file format is really more a memory dump. This may have been fixed in the latest version of MS Word; I certainly hope so...)
And UNIX people know this, as it took decades to fix their OS.
... file's position-sensitive tests are normally implemented by matching various locations within the file against a textual database of magic numbers (see the Usage section). This differs from other simpler methods such as file extensions and schemes like MIME.
Speaking specifically about using file extensions, I think 'decades' is a little strong.
From Wikipedia's FILE entry:
The original version of file originated in Unix Research Version 4 in 1973
Even if you happen to believe that the real improvements to file were not made until System V, that was 1983...so not decadeS, but decade.
So no, not a troll and not revisionist. You make it sound like Unix was not usable until the 1990's.
Computational Chemistry products and services.
Uh if that happens then the language used is obviously unsafe.
The language isn't "unsafe" - it just lets you do some very, very nifty stuff that noobtard programmers are better off leaving alone.
C++ has perfectly "safe" features - the Standard Template Library has container classes like strings and vectors that won't overflow no matter how careless you are.
For those who insist on going down to the byte level and concatenating their strings themselves, Microsoft included "safe" versions of these functions in Visual Studio 2005, and will compile with warnings if you use the dangerous, buffer-overrun-producing variants.
Why should potentially arbitrary code be executed because a program tries to put data somewhere it won't fit?
Because a hacker's input and a programmer's overconfidence in his manual input validation (or lack thereof) put the hacker's code over the program itself. It fit just fine where the still-running program used to be.
This can happen in any language - C++ programmers are simply notoriously bad at input validation.
DATABASE WOW WOW
OLE, DDE, etc...
:S
People's pretty WordArt wouldn't work otherwise
Wait until you see how Publisher files are constructed - AFAICR each text box is a mini Publisher OLE object and let's not start on the picture boxes
I feel sick just thinking about it
"We know what happens to people who stay in the middle of the road. They get run over." - Aneurin Bevan
....and quarantined the .doc demonstration file. Not much of a zero-day exploit....
"Data used by Microsoft Word to construct a destination address for a memory copy routine is embedded within a Word document itself."
If this is a standard practice at Microsoft, I'm beginning to understand why they are so relunctant to publish their protocols and standards.
echo '[q]sa[ln0=aln80~Psnlbx]16isb572CCB9AE9DB03273snlbxq' |dc
It is not. M$Office is much more optimized (by all means) product. StarOffice itself was based on previous work - so the code base was already split even before Sun acquisition. And then add development of Sun and OO.o which do not perfectly fit each other.
And Sun's following development effort which threw in Java to the backet didn't help either.
The result is buggy bloated mess. Don't argue with me. I use OOo every day. And I had read the source code.
It's free - but there is nothing more to it. ODF compatibility is still far below any usability level so all the PR talk about ODF magic is just what it is - PR talk. IOW, all OOo has now is its free beer's price: $0.00.
All hope abandon ye who enter here.
Why is there both a bugs and a Microsoft tag on this article? isn't it rather redundant having both tags?