Slashdot Mirror

← Back to Stories (view on slashdot.org)

How Do You Handle New MS Word Vulnerabilities?

Posted by Cliff on from the it-maybe-time-to-look-into-a-new-word-processor dept.

chipperdog asks: "With yet another zero-day exploit of MS-Word document files, what are fellow system admins doing to protect themselves against these threats? I have been blocking all .doc and .dot at the mail and proxy servers until malware scanners have signatures to detect and block the malicious files. Of course, this caused a uproar with the users, as there were continuous calls like: 'When can I send and receive Word files again' and 'I can't get anything done if I can't send/receive Word files'. Any suggestion of sending documents in different formats (like rtf, html, txt, or pdf) results in even more creative user 'feedback'. Has anyone done anything creative in their handling of word files — like having qmail-scanner pipe all .doc attachments through something such as wv to convert them to a less exploitable format?"

7 of 157 comments (clear)

  1. At least for now we filter... by Jhon · · Score: 2, Informative

    All attached DOC files are filtered and placed in to a users quarnetine folder (which they have access via a web browser). Simple permissions keep them from accessing the file itself until it can be checked. Once checked, permissions are changed and the user can pull the document.

    It's frustrating for the end user as they don't have instant access to their attachment (sometimes there's a 4-hour delay before the file can be manually inspected -- still waiting for some def-files!) and it's taxing my staff time-wise to do this (we've got better things to do than check for any monkey-business in word documents). We've suggested everyone convert to PDFs and send THOSE and it's been working but it's still a disruption.

    1. Re:At least for now we filter... by CerebusUS · · Score: 2, Informative

      As I've noted elsewhere, if you think your filter is protecting you, you are wrong:

      "Do not rely on file-name extension filtering. In most cases, Windows will call Word to open a document even if the document has an unknown file extension. For example, if document.qwer contains the correct file header information, Windows will open document.qwer with Word. Filtering for common extensions such as .doc, and .dot will not detect all Word documents."

      source

  2. Re:"Zero-day" by tchuladdiass · · Score: 2, Informative

    Actually, a zero-day exploit is an exploit (piece of attack code) that is making use of a previously-undiscovered/undisclosed security vulnerability. Contrast this to freshly discovered security holes that don't have any exploits written for them yet (which is most security announcements), and exploits that have been written to take advantage of previously known security holes.

  3. Re:Wow... glad you don't work for me. by MarcoAtWork · · Score: 2, Informative

    have one admin with vmware player and a vm that mounts read-only the quarantine folder on the network where any 'suspect' doc is dumped (resumes, attachments from untrusted sources, whatever), in the vm convert the .doc to .pdf and put it in a separate directory that is instead accessible from everybody. Of course the vmware image should be configured NOT to have access to absolutely anything but this one 'quarantine' host.

    Users then access the pdf files from the 'safe' area normally, if you want to just have the admin move files to separate subdirectories with appropriate user permissions.

    If you don't want to have a designated person doing this, you could mandate that your users can use email only from within VMs (that don't have any sort of network access besides receiving email) and must convert to a different format before saving it on a shared folder on their local disk.

    I think something along these lines (quarantine + conversion to a different format, whether centrally located on on everybody's box) should be mandatory for offices where they are expecting .docs from untrusted sources. After all if the HR person's desktop gets compromised you'll be in a LOT more pain than if somebody else's was, given the sensitivity of the information that generally is stored in there...

    --
    -- the cake is a lie
  4. Re: Antiword or Catdoc by lky · · Score: 2, Informative

    Well I use Linux so I dont have MS Office but I extract the text from MS Word documents using Antiword or Catdoc and then read them in Vim.

    Antiword: http://www.winfield.demon.nl/
    Catdoc: http://www.45.free.net/~vitus/software/catdoc/

    Add this to your .vimrc to make it automagic:

    autocmd BufReadPre *.doc set filetype="msword"
    autocmd BufReadPost *.doc silent %!antiword "%"
    autocmd Filetype msword call s:MyMSWordSettings()

    function! s:MyMSWordSettings()
            set readonly
            set hlsearch!
    endfunction

    For RTF documents, check out UnRTF: http://www.gnu.org/software/unrtf/unrtf.html

  5. Re:Why not... by CerebusUS · · Score: 2, Informative

    The latest vulnerability doesn't require macros.

    "Data used by Microsoft Word to construct a destination address for a memory copy routine is embedded within a Word document itself. If an attacker constructs a Word document with a specially crafted value used to build this destination address, then that attacker may be able to overwrite arbitrary memory,"

    There's no way to protect from these documents via group policy, short of a group policy that disallows word from running.

  6. MOD PARENT INFORMATIVE by iluvcapra · · Score: 2, Informative

    Thanks for the links. I know this problem isn't proven on OS X, but based on the executive summary I'd suppose it could be an issue, so to Mac OS X people, textutil(1) can read doc and convert to txt, html, rtf, or even webarchive, so you get all the images.

    Textutil is in /usr/bin on an install of OS X, and just acts as a wrapper for the OS X text word processing subsystem.

    --
    Don't blame me, I voted for Baltar.