How Do You Handle New MS Word Vulnerabilities?

← Back to Stories (view on slashdot.org)

How Do You Handle New MS Word Vulnerabilities?

Posted by Cliff on Friday December 15, 2006 @08:35AM from the it-maybe-time-to-look-into-a-new-word-processor dept.

chipperdog asks: "With yet another zero-day exploit of MS-Word document files, what are fellow system admins doing to protect themselves against these threats? I have been blocking all .doc and .dot at the mail and proxy servers until malware scanners have signatures to detect and block the malicious files. Of course, this caused a uproar with the users, as there were continuous calls like: 'When can I send and receive Word files again' and 'I can't get anything done if I can't send/receive Word files'. Any suggestion of sending documents in different formats (like rtf, html, txt, or pdf) results in even more creative user 'feedback'. Has anyone done anything creative in their handling of word files — like having qmail-scanner pipe all .doc attachments through something such as wv to convert them to a less exploitable format?"

11 of 157 comments (clear)

Min score:

Reason:

Sort:

At least for now we filter... by Jhon · 2006-12-15 08:40 · Score: 2, Informative

All attached DOC files are filtered and placed in to a users quarnetine folder (which they have access via a web browser). Simple permissions keep them from accessing the file itself until it can be checked. Once checked, permissions are changed and the user can pull the document.

It's frustrating for the end user as they don't have instant access to their attachment (sometimes there's a 4-hour delay before the file can be manually inspected -- still waiting for some def-files!) and it's taxing my staff time-wise to do this (we've got better things to do than check for any monkey-business in word documents). We've suggested everyone convert to PDFs and send THOSE and it's been working but it's still a disruption.
1. Re:At least for now we filter... by CerebusUS · 2006-12-15 09:20 · Score: 2, Informative
  
  As I've noted elsewhere, if you think your filter is protecting you, you are wrong:
  
  "Do not rely on file-name extension filtering. In most cases, Windows will call Word to open a document even if the document has an unknown file extension. For example, if document.qwer contains the correct file header information, Windows will open document.qwer with Word. Filtering for common extensions such as .doc, and .dot will not detect all Word documents."
  
  source
"Zero-day" by Anonymous Coward · 2006-12-15 08:46 · Score: 1, Informative

Does "zero-day" still mean what it once meant? People are calling exploits "zero-day" weeks after they are available.

"Zero-day" means it was released today. Every exploit was "zero-day" sometime, but ceased to be the next day.
1. Re:"Zero-day" by tchuladdiass · 2006-12-15 09:00 · Score: 2, Informative
  
  Actually, a zero-day exploit is an exploit (piece of attack code) that is making use of a previously-undiscovered/undisclosed security vulnerability. Contrast this to freshly discovered security holes that don't have any exploits written for them yet (which is most security announcements), and exploits that have been written to take advantage of previously known security holes.
Re:Wow... glad you don't work for me. by MarcoAtWork · 2006-12-15 09:02 · Score: 2, Informative

have one admin with vmware player and a vm that mounts read-only the quarantine folder on the network where any 'suspect' doc is dumped (resumes, attachments from untrusted sources, whatever), in the vm convert the .doc to .pdf and put it in a separate directory that is instead accessible from everybody. Of course the vmware image should be configured NOT to have access to absolutely anything but this one 'quarantine' host.

Users then access the pdf files from the 'safe' area normally, if you want to just have the admin move files to separate subdirectories with appropriate user permissions.

If you don't want to have a designated person doing this, you could mandate that your users can use email only from within VMs (that don't have any sort of network access besides receiving email) and must convert to a different format before saving it on a shared folder on their local disk.

I think something along these lines (quarantine + conversion to a different format, whether centrally located on on everybody's box) should be mandatory for offices where they are expecting .docs from untrusted sources. After all if the HR person's desktop gets compromised you'll be in a LOT more pain than if somebody else's was, given the sensitivity of the information that generally is stored in there...

--
-- the cake is a lie
Why not... by Anonymous Coward · 2006-12-15 09:06 · Score: 1, Informative

...turn off word macros for the majority of your users who do not need them. For those who do give them an hour long or so seminar on the safe way to work with word macros, including opening (or not) files from unknown/untrusted sources. I'm astounded at the level of ignorance many people claiming to be knowledgable UNIX/Linux admins have with regards to running what they consider to be a little kiddie playground of a server OS yet they seem to have all sorts of trouble. If the OS is for idiots as you claim then you should have no trouble using group policies to enforce these rules. If you cannot enforce these group policies then perhaps it is you who is the idiot and not the OS.
1. Re:Why not... by CerebusUS · 2006-12-15 09:33 · Score: 2, Informative
  
  The latest vulnerability doesn't require macros.
  
  "Data used by Microsoft Word to construct a destination address for a memory copy routine is embedded within a Word document itself. If an attacker constructs a Word document with a specially crafted value used to build this destination address, then that attacker may be able to overwrite arbitrary memory,"
  
  There's no way to protect from these documents via group policy, short of a group policy that disallows word from running.
docs.google.com by Anonymous Coward · 2006-12-15 09:12 · Score: 1, Informative

upoad to docs.google.com then download from docs.google.com
Re:I don't by Anonymous Coward · 2006-12-15 09:12 · Score: 1, Informative

the exploit effects Macs running Word too
Re: Antiword or Catdoc by lky · 2006-12-15 09:24 · Score: 2, Informative

Well I use Linux so I dont have MS Office but I extract the text from MS Word documents using Antiword or Catdoc and then read them in Vim.

Antiword: http://www.winfield.demon.nl/
Catdoc: http://www.45.free.net/~vitus/software/catdoc/

Add this to your .vimrc to make it automagic:

autocmd BufReadPre *.doc set filetype="msword"
autocmd BufReadPost *.doc silent %!antiword "%"
autocmd Filetype msword call s:MyMSWordSettings()

function! s:MyMSWordSettings()
set readonly
set hlsearch!
endfunction

For RTF documents, check out UnRTF: http://www.gnu.org/software/unrtf/unrtf.html
MOD PARENT INFORMATIVE by iluvcapra · 2006-12-15 10:48 · Score: 2, Informative

Thanks for the links. I know this problem isn't proven on OS X, but based on the executive summary I'd suppose it could be an issue, so to Mac OS X people, textutil(1) can read doc and convert to txt, html, rtf, or even webarchive, so you get all the images.

Textutil is in /usr/bin on an install of OS X, and just acts as a wrapper for the OS X text word processing subsystem.

--
Don't blame me, I voted for Baltar.