Slashdot Mirror
How Do You Handle New MS Word Vulnerabilities?
chipperdog asks: "With yet another zero-day exploit of MS-Word document files, what are fellow system admins doing to protect themselves against these threats? I have been blocking all .doc and .dot at the mail and proxy servers until malware scanners have signatures to detect and block the malicious files. Of course, this caused a uproar with the users, as there were continuous calls like: 'When can I send and receive Word files again' and 'I can't get anything done if I can't send/receive Word files'. Any suggestion of sending documents in different formats (like rtf, html, txt, or pdf) results in even more creative user 'feedback'. Has anyone done anything creative in their handling of word files — like having qmail-scanner pipe all .doc attachments through something such as wv to convert them to a less exploitable format?"
Let the users sort it out for themselves.
You can't suddenly cut off the exchange of Word documents in any modern business. Unless you can justify bringing your company to a halt over some vulnerabilities with no real-world risk, you just can't do it.
What I'm listening to now on Pandora...
All attached DOC files are filtered and placed in to a users quarnetine folder (which they have access via a web browser). Simple permissions keep them from accessing the file itself until it can be checked. Once checked, permissions are changed and the user can pull the document.
It's frustrating for the end user as they don't have instant access to their attachment (sometimes there's a 4-hour delay before the file can be manually inspected -- still waiting for some def-files!) and it's taxing my staff time-wise to do this (we've got better things to do than check for any monkey-business in word documents). We've suggested everyone convert to PDFs and send THOSE and it's been working but it's still a disruption.
% strings $1 | less
(I'm almost serious).
--
"It is now safe to switch off your computer."
Tell the users to rename the files to .dat. That's what we do for sending files around that our mail server blocks. The content of the e-mail would tell the user to rename the file back to .doc. We often send vbs scripts around that we rename to .txt to get around our mail server.
Things you think are in the Constitution, but are not.
It's amazing how, we've been fighting this uphill battle to get our users to use Open Office, and now all of the sudden, managers are calling us to make sure all of their users have it. :-) Some days, I like my job. :-)
But this is slashdot. A slashdoter who didn't build his own computer is like a Jedi who didn't build his own lightsaber!
Coworker of mine has a sawed off hoe handle, which he maintains was useful for maintenance on an obscure now-obsolete color proofer. Routine application of this to users is beneficial in stopping the spread of these documents.
Heh.
The bulk of our traffic here is excel and powerpoint, so limiting word documents hasn't been a real problem. Additionally, corporate used to require stupidly high end router hardware in all parts of the building which was abusive on the budget, but, at times like this, comes in handy.
ad logicam Claiming a proposition is false because it was presented as the conclusion of a fallacious argument.
Killing your company's productivity by not allowing the exchange of information? A big no-no. Plus it is all-to-easy to get around (rename the extention, zip the file, etc).
A better solution is to educate the users - send out a mass email explaining the vulnurability, that you shouldn't be opening and doc's you aren't expecting. If you do it is your own damn fault and the timeliness of the fixing of your machine can not be guaranteed. There is no reason to choke business as you have and quite frankly the users have every reason to be upset.
Does "zero-day" still mean what it once meant? People are calling exploits "zero-day" weeks after they are available.
"Zero-day" means it was released today. Every exploit was "zero-day" sometime, but ceased to be the next day.
Yeah, OK. Now, does anyone have a reasonable solution?
ich muß mehr Kuhglocke haben
Slashdot: Failed Car Analogies. Amateur Lawyering. Anecdote Battles.
We nuked the site from orbit. It was the only way to be sure.
Personally I just shake my head about sysadmins scratching their heads.. "Oh no! What do I do! There is a vulnerability in word!" ..
:)
SO?! One course of action would be to argue for the implementation of another Office Suite - such a Open Office. It's not as widely used, and thus less likely to be hit by a widespread attack. An attack against Open Office quite simply won't spread as widely.
And there are other alternatives. For those of us using other operating systems, we can often import the word documents into other software again.
Of course, some people are stuck in a windows only environment - but for those I only have one advice: "Get out while you've still got (most) of your sanity!".
I'm lucky enough to not admin end users. Used to admin end users - and that causes nothing but grief. Especially the windows using ones.. the Mac using ones, for some reason - are way more self-reliant. The unix users only wanted me to compile the CVS version of KDE - and mplayer. The rest they did themselves. Windows users on the other hand, need help with everything from mounting a drive to whatnot. Insanity lies down that path.
Ohwell
I pour myself a large brandy and think of all the proles stuck using Microsoft software.
OpenOffice.org.
Truth, Just Us, And Hatred For All Mankind!
Use Vim instead.
Don't use Word? ;)
When we have viruses exploiting Word files, part of our security team sends out a notice that says we're temporarily quarantining the files until we can have them cleared. But really, you can't indefinitely stop word files from coming in.
I'll admit I'm too lazy to read the exact detail of the exploit, but shouldn't this whole situation be alleviated by good, layered network security anyway?
...turn off word macros for the majority of your users who do not need them. For those who do give them an hour long or so seminar on the safe way to work with word macros, including opening (or not) files from unknown/untrusted sources. I'm astounded at the level of ignorance many people claiming to be knowledgable UNIX/Linux admins have with regards to running what they consider to be a little kiddie playground of a server OS yet they seem to have all sorts of trouble. If the OS is for idiots as you claim then you should have no trouble using group policies to enforce these rules. If you cannot enforce these group policies then perhaps it is you who is the idiot and not the OS.
I'm a windows network admin, and I made a group policy to deny people downloading new word format files, atleast until they put a good patch out.
Freedom is fragile and must be protected. To sacrifice it, even as a temporary measure, is to betray it.
We keep the AV scanner at the gateway up. We keep the spam filter at the gateway up. We keep the AV on the desktop up-to-date.
Right now there's no good RPC-exploitable worm for Windows. Any word-based infection is going to be localized to a single machine (or, at most, to those machines a user has remote local administrative rights on). So, we watch. We stay at yellow allert, and we don't panic. Because right now, there's nothing to panic about. The ability to spread a virus/worm/mal* to a single machine isn't exactly a huge danger. We already have that every time someone sends us an URL.
Panic on your own time.
The windows email/desktop machines may (and always do) get infected; and we simply replace those with a clean disk image.
The accounting machines - if someone opens an infected Word doc or even runs outlook on them - well, that's against our corporate policy and they'd get in trouble.
Most people in engineering, though, use linux desktops and solaris servers; so it's not that big a deal. For them if they need a word doc, they run it under vmware or go to a few shared machines around.
Wouldn't it be possible to automatically strip all macros from the documents? Of course, some documents wouldn't survive the alteration unscathed, but for most of the documents I don't think the end users would even notice a difference.
Blocking all doc files? Too funny. What a jerky self-important moron of an admin. Learn how to weigh risk and reward, dude. You clearly have no clue. Sounds like you have a hard-on for Microsoft and are trying to make a point.
Good luck with that and your next job, which is right around the corner. Maybe you can refuse to flip any burgers that have trans fat in them.
I'm just shaking my head and rolling my eyes. BOFH indeed.
"If you want to improve, be content to be thought foolish and stupid." - Epictetus
upoad to docs.google.com then download from docs.google.com
Reasonable or not, Microsoft's suggestion regarding the vulnerability is to "not open or save Word document files"
Setup MIMEDefang to convert M$ word attachments to PDF using openoffice. .doc extension or a mimetype of application/msword go through this process. .pdf .pdf already exists, use that file.
Any attachments with a
Also to reduce the overhead, get the sha1sum for the word document, and save the pdf to
Before any documents are converted with openoffice, get the sha1sum. if a
This stills allows people to get the content, which is most of the time, all they want.
There is also a program called antiword that will convert ms word documents to text, PDF, or PostScript.
But openoffice does a better job.
Well I use Linux so I dont have MS Office but I extract the text from MS Word documents using Antiword or Catdoc and then read them in Vim.
.vimrc to make it automagic:
Antiword: http://www.winfield.demon.nl/
Catdoc: http://www.45.free.net/~vitus/software/catdoc/
Add this to your
autocmd BufReadPre *.doc set filetype="msword"
autocmd BufReadPost *.doc silent %!antiword "%"
autocmd Filetype msword call s:MyMSWordSettings()
function! s:MyMSWordSettings()
set readonly
set hlsearch!
endfunction
For RTF documents, check out UnRTF: http://www.gnu.org/software/unrtf/unrtf.html
I only use Word at work, so it's not my problem. You can't just stop using Word without possibly losing money, so it's worth the risk. It's not like I'm going to open any emails from people I don't know anyway.
Bottom line: Managing Word exploits is bad for business and probably for the economy. Cleaning malware off of small business computers is hard, backbreaking work. But for many home-based IT businesses, it puts food on the table. So, go ahead. Manage your Word exploits -- if you want to put thousands of business owners in the poorhouse and, ultimately, risk crashing our economy.
Yet more evidence of the truth and beauty of the Church of Emacs.
Or, if one is into truly antediluvian forms of worship, Ed, man! !man ed.
It's quite big but it'll solve your MS Office security problems.
http://download.openoffice.org/2.1.0/index.html
Deleted
Our (fortune 500) company did the same when Windows GDI and .jpg issues were a big deal. The answer was to send/recieve in .zip format. It turned out not to be a real problem after a short adjustment period, just another step in the business process. If you can't communicate back to your business partner about the attachment problem then you don't really have a business "partner" do you?
Of course my initial answer was going to be a flip, "how do I deal with it? Use OpenOffice.org of course".
What about using the Word Viewer?
Simple. My employees know not to open any file that they don't know what it is. I really don't know how you can get any simpler or more effective than that.
... and then they built the supercollider.
If your users need to send/receive executable code from/to strangers (which is essentially what they're asking for) then you're in a nasty situation.
If you're the boss, one obvious thing to do is to make them sign something to the effect that the cost of cleaning up after their willful unsafe practices, will come out of their own paychecks.
Let's assume you're not the boss.
You can't trust scanners anyway; it's not a matter of today's particular 0-day-exploit, because there will always be exploits. You must assume that hostile code will be running (probably with full admin privileges) on those users' machines. Sandbox as much as they'll allow you to. Run MS Word itself inside a dedicated virtual machine if you can. If you can't, then run the Windows session itself inside one. Put those boxes on their own network, etc. The key is to accept the destruction, but also try to limit it to the people who are asking for it. It's ok if your company loses a few thousand dollars of work every week or so from a few bad users -- you need to keep from losing millions, and hopefully in such a way that when the boss comes screaming about the thousands, you have something positive to point to.
And, if you can, keep memos about complaints (or prohibitions from above) as a record to show that you were not allowed to really fix the problem: you don't just want credit for preventing the big disaster; you want absolution from blame for the little disaster.
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
- Exchanging finished documents for reading. PDF is better:
- It can reproduce the results exactly.
- It doesn't include Word's "change tracking" information which can cause embarrassing leaks.
- It's a standard with many interoperable implementations.
- Exchanging in-progress documents for revision. At least for stuff limited to your company, a version control server (like Subversion with friendly TortoiseSVN clients) is better:
- Doesn't cause email storage to grow enormously. Instead, a server actually meant for this kind of thing stores only deltas. And only one copy of each document - on most mailservers, the disk space consumed by an attachment is proportional to the number of recipients.
- Lets you easily find the latest version of a document. ("Did he send me another copy after this? I'm not sure.")
- Lets you easily retrieve any previous version, see changes/authors/checkin comments. (I don't trust Word's built-in change tracking, and you shouldn't either. Its security model is flawed, and I don't think it's reliable to begin with.)
- Supports locking/unlocking documents to prevent conflicting changes.
- With some setup, supports diffing and merging office documents. You can maintain branches!
- Supports searching - where I work, we've plugged in swish-e for full-text searching over our documentation repository.
I wish my company would just block allThanks for the links. I know this problem isn't proven on OS X, but based on the executive summary I'd suppose it could be an issue, so to Mac OS X people, textutil(1) can read doc and convert to txt, html, rtf, or even webarchive, so you get all the images.
Textutil is in /usr/bin on an install of OS X, and just acts as a wrapper for the OS X text word processing subsystem.
Don't blame me, I voted for Baltar.
I only run MS Word in my hermetically sealed house, which I never leave.
What sound do people on rollercoasters make? Hint: it's not Xbox 360.
It's likely that OOo and AbiWord only crash when they encounter a malformed file. A crash is a local denial of interactive service, which is a vulnerability of much less severity than an arbitrary code execution.
Let your users send and receive .doc's and therefore get their jobs done. Explain to them (maybe through a corporate memo?) the risks with .doc files and not to open any .doc files that they don't know for certain are from reliable sources. Eh?
.doc's altogether while you wait for your malware filter to be able to catch the exploit is obviously overkill.
I for one make my company's employees and their ability to get their jobs done quickly and effectively my first priority. Forget about the exploits. Don't let M$'s insecure software make your workers less effective!!
IMO blocking
Just use OpenOffice. It will exchange most documents just fine. The ones it has problems with are either poorly designed or malicious; they are rare enough that it's not a problem in real life, and they can be sent back to the sender to get fixed.
Round-trip convert to OpenDoc. Not only will that strip evil macros, it will also make it easy to migrate to OpenOffice.
Is how you handle arbitrary code execution vulnerabilites?
SVN and CVS for the end user? Ha. I had a good laugh at that one.
We do not use Microsoft Word at my place of business. This is therefore no longer a concern. If any sysadmin thinks this is a problem, it's clearly time to approach the PHB with it in terms that they will understand. Something along the lines of, "Yes, I'd love to tackle that super-urgent issue of yours, but I'm too busy fighting these n MS Word vulnerabilities" where n is greater than zero. That ought to do it.
Burns: We're building a casino!
McAllister: Arrr. Give me 5 minutes.
> Nice! Now, all they need to do is add the line "MCSE holders need not apply" and they're all set.
.doc files" part :-)
That one is already covered by the "don't send us
'nuff said
Remember, everyone in your company has a job to do; your job is to help them do their jobs. Sometimes employees will be impacted by security issues; but when their time is spent primarily working around your paranoid security restrictions, then you're hurting your business. Right now, you're more likely to either 1: Get fired, 2: insult an important business client, 3: piss off a valuable employee who will decide to move to a company who doesn't have an @$$h0l3 running their network...
It's good that you can disable word documents from email in the event of an outbreak; if, and only if an outbreak does occur, then disabling word documents from email might be your only option.
The other thing to consider is that, if a virus starts spreading though word documents in email attachments, you're going to start seeing a lot of SPAM with word documents attached. Consider being more restrictive to SPAM with regard to attachments.
No, I will not work for your startup
Either be very diligent with your backups (which you should be anyway) or just don't use it. "Viruses" and general issues with computers (MS products specifically) are the counter part to 'other people on the road' when driving your car. You either put up with the dangers and prepair yourself for the pain or simply don't get involved.
Fortunately with computers you can just make backups and only loose a day or two of production if everything goes to shit. Not so possible with a head on collision at 50mph.
No sig for you. YOU GET NO SIG!
Funny you should mention VIM. It had an arbitrary code execution exploit not that long ago, based on modeline interpretation.
Thankfully, VIMs presence is.. um.. low, compared to Word. Still, the HORROR! Being owned by a malicious ASCII file!
YMMV
Ratboy
Just another "Cubible(sic) Joe" 2 17 3061
Open Office is not slow for me. It's fine.
How do I handle it? Use OpenOffice.
I still use WordPerfect for my WP ...
"A gun is a tool, Marian. No better, no worse than any other tool. An axe, a shovel, or anything." Shane (1953)
I stopped using Word back in 1997 when I couldn't get a simple (C) to not be turned into a copyright symbol in a document. After several hours of searching help and disabling what seemed like hundreds of preferences that began with "auto," I pasted the document text into Netscape Gold's HTML editor and never looked back.
I've given the PHBs plenty of trouble since then by not accepting DOC files (or later on Excel files either). They can't figure out how to save in any other format (which was my suggestion the first few years).
To make a long story short, they've finally taken to just printing the document for me and e-mailing it to everyone else.
I sincerely hope that this rash of zero-day viruses will finally get them to consider ODF, but it'll probably take another 3-5 years before that epiphany hits any of them.
It doesn't take much technical sophistication to handle "update" and "commit", and that's 95% of the operations on this sort of repository. Very little branching, some use of logs...but really, what people need is a place to put documents that fires off commit emails and where it's possible to get a log or pull an old version if necessary.
As far as the sales guys are concerned, it's a lot like a network share, except that they can still access their local working copy when they're on a plane or at a customer site.
OpenOffice allows you to read & write MS-Word docs without having MS-Word. This has worked well for many of my customers, & they enjoy the PDF document production & the ability to recover many broken MS-Office documents simply by opening them in OpenOffice.
OpenOffice also runs on more platforms & is developing faster, & the docs are much easier to externally process (they’re basically ZIPped XHTML in a moderately sane format).
Oh, yes, and it’s much cheaper ($0 per seat) & you don’t have to watch out for time-bombs in the registration or anything like them.
And finally, I like it more. It’s not perfect, but things are generally arranged more sensibly, plus a lot more odd little corner cases are correctly (consistently) implemented.
Got time? Spend some of it coding or testing
Apply the the standard, Threat/Likelihood/Impact risk model before you start on these things.
...
So you block Ms-Word, what's the threat (and it exploited yet which is Likelihood) and finally what's the impact of the threat. Now apply this your actions.
Another thing I'd say various IE issues are more of a risk than little exploited (to date) in Word.
Given the time you are spending, the impact you're having on the business, is your 'fix' worth it?
The trouble with trying to filter, is that the word format is a binary blob without any documentation...
It's quite easy to filter out things like the jpeg exploit, just try opening it with a jpeg library on the filter server, the exploit jpegs won't load properly and error, or you can convert them on the fly to another image format.
Ofcourse this brings up a risk to your server, but the risk is much smaller, the server is likely to be hardened, could be running many different os's on several different hardware platforms, won't be running the code as a privileged user, and could easily be running it inside of a chroot. If you were to use something like grsecurity on linux, you could make sure the risky parsing code ran inside of a chroot, did not have the ability to write anywhere (except its input/output pipes) and did not have the ability to open sockets or execute any additional programs.
When you know the format, you can cut out a large percentage of exploits by validating the contents of the format against what the specs say it should contain, you can then sanitise parts of the file if necessary, or convert it into another (compatible) format.
Ofcourse it's not foolproof, but it raises the bar much higher.
This is a very good reason not to allow unknown binary data to be transferred in/out of your network.
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
Yeah, OK. Now, does anyone have a reasonable solution?
Using Word isn't a reasonable solution. The problem is inherent in the tool you're using. Switch tools.
toresbe
Well, I typically Wazoo worry about it. I mean, hey, Wazoo someone wants to cause harm to my Wazoo documents, then clearly that's Wazoo issue, not mine.
I mean, hey, Wazoo security isn't my job ... Wazoo?
Signed, N
How Do You Handle New MS Word Vulnerabilities?
I... laugh?