Third Microsoft Word Code Execution Exploit Posted

gregleimbeck writes "Exploit code for a third, unpatched vulnerability in Microsoft Word has been posted on the Internet, adding to the software maker's struggles to keep up with gaping holes in its popular word processing program. The attack code, available at Milw0rm.com, contains sample Word documents that have been rigged to launch code execution exploits when the file is opened."

Thanks for the proof

I always suspected that Microsoft Word was Turing-complete.

Re:Thanks for the proof

[spellraiser]

No, that's Emacs. MS Word is a pushdown automaton at best.

This appears to affect OpenOffice 2.0.4?

[Rupan]

I tried to open the PoC with OpenOffice 2.0.4 and it crashed. Can someone confirm?

ooffice2 12122006-djtest.doc /usr/lib/openoffice/program/soffice: line 236: 12793 Segmentation fault "$sd_prog/$sd_binary" "$@"

This may not be a code execution bug; I'll try to trace it with gdb to see what happens.

Re:This appears to affect OpenOffice 2.0.4?

[Rupan]

The gdb backtrace shows that the crash occurs in SwIoSystem::IsFileFilter (). EIP may not have been overwritten; the value points into what appears to be a valid function (i.e. not the stack or heap):

eip 0xb7286b4d 0xb7286b4d osl_getVolumeInformation+4487

Of course, this is probably because the exploit was designed to crash MS Word in the first place, not execute arbitrary code.

Re:This appears to affect OpenOffice 2.0.4?

[Gothmolly]

...imagine what could be done with 10k of executable code

Run Visicalc?

Kinda limits Word's functionality, dontcha think?

[kbob88]

Microsoft suggests that users "do not open or save Word files,"

I really like this quote! That kind of limits the functionality of a word processor if you can't open or save files, right?

What exactly does Microsoft suggest that I do with Word files? Besides using them to fragment my hard-disk? Maybe I can burn them to keep warm in the winter... um, no.

Or perhaps I'll just use Word to create and save HTML files!!

Re:Wait, who still uses M$ 0ffice?

[phrasebook]

I tried switching my dad to Open Office when we couldn't find the MS Office CD - he immediately complained that the small fonts he was using in his spreadsheets (less than 8 points) didn't render nicely in OO compared to Excel, so he went and bought a copy of Office 2003.

Little things like that count for a lot. OO might be more secure than MS Office, but it's terrible quality software in user-visible ways (i.e. it's ugly, slow and bloated). These things count to people. Little problems can't just be overlooked because it's free. My dad could pick it apart within minutes, and he doesn't normally care about software at all. He didn't care about paying for Office either, in fact he didn't think twice about it.

That's why. Nothing to do with TCO, Microsoft being evil, security, monopoly or anything else. OpenOffice just isn't very good in the ways that count to regular users.

Suddenly, up pops: Hackie

"I see that you are trying to craft an exploit. Would you like me to assist?"

Re:Wait, who still uses M$ 0ffice?

[Vengeance_au]

We use both Microsoft Office and OpenOffice in our company. OO is for all internal documents, and Microsoft Office is used for external client work - purely for interoperability with corporate / government clients. Open Office can save into Microsoft Office format, but there are invariably subtle differences in the final layout - and that is just plain unacceptable.

In the past 12 months a few clients have started using OO and we now share OO documents with them - but they are by far the minority. Hopefully the new "Open" format Microsoft is coming out with will break the barrier down, and allow pixel-perfect interoperability, but until then it is very difficult to operate in a corperate world without the "de-facto" Microsoft Office standard.

Re:Wait, who still uses M$ 0ffice?

[mcrbids]

If you knew enough to download it for him you should have known enough to turn on antialiasing for font sizes 8 and lower in the options menu.

And if you knew end-users enough to comment on them, you should have known enough that end-users won't know how to turn this on.

See, software shouldn't "get in the way" of what you're trying to do.

who downloads attachments from unknowns anyway

[ZahnRosen]

This goes under the category of basic internet security. Don't open files from people you don't know. And if you do get a wierd file from someone you don't know stop and think for 10 seconds about it before you open it. Or, buy a mac.

Anyone remember milw0rm?

[__aaijsn7246]

http://en.wikipedia.org/wiki/Milw0rm

milw0rm is a group of "hacktivists" best known for penetrating the computers of the Bhabha Atomic Research Centre (BARC) in Bombay, the primary nuclear research facility of India, on June 3, 1998. The attack generated heated debate on the security of information in a world prevalent with countries developing nuclear weapons, the ethics of "hacker activists" or "hacktivists," and the importance of advanced security measures in a modern world filled with teenagers willing and able to break into insecure international websites.

Re:Wait, who still uses M$ 0ffice?

[SnowZero]

If you want more of your clients to change to OO, just run "strings" on their .doc files and email them the parts that came from other documents. That should be enough to get them to change their minds about it.

(For the uninitiated, As you edit a document in MS Word, it picks up bits of other documents you have open at the time or even previously opened. This is because it doesn't clear memory before using it, and the fast-save file format is really more a memory dump. This may have been fixed in the latest version of MS Word; I certainly hope so...)