Slashdot Mirror

← Back to Stories (view on slashdot.org)

How Do You Handle New MS Word Vulnerabilities?

Posted by Cliff on from the it-maybe-time-to-look-into-a-new-word-processor dept.

chipperdog asks: "With yet another zero-day exploit of MS-Word document files, what are fellow system admins doing to protect themselves against these threats? I have been blocking all .doc and .dot at the mail and proxy servers until malware scanners have signatures to detect and block the malicious files. Of course, this caused a uproar with the users, as there were continuous calls like: 'When can I send and receive Word files again' and 'I can't get anything done if I can't send/receive Word files'. Any suggestion of sending documents in different formats (like rtf, html, txt, or pdf) results in even more creative user 'feedback'. Has anyone done anything creative in their handling of word files — like having qmail-scanner pipe all .doc attachments through something such as wv to convert them to a less exploitable format?"

6 of 157 comments (clear)

  1. Open Office by Scott+Lockwood · · Score: 3, Interesting

    It's amazing how, we've been fighting this uphill battle to get our users to use Open Office, and now all of the sudden, managers are calling us to make sure all of their users have it. :-) Some days, I like my job. :-)

    --
    But this is slashdot. A slashdoter who didn't build his own computer is like a Jedi who didn't build his own lightsaber!
  2. Re:Wow... glad you don't work for me. by Todd+Knarr · · Score: 2, Interesting

    I like the position my ISP's HR people take: "The posting said "No Word documents accepted.". The job's as a senior network engineer. It's going to require lots of detective work to troubleshoot obscure and arcane problems. If you can't figure out how to use Word's "Save As" to save in RTF or HTML, you are not qualified for the position. If you can't figure out that "No Word Documents accepted." means we won't be accepting Word documents, you aren't qualified for any position.".

  3. Re:I don't by CerebusUS · · Score: 3, Interesting

    At least one of the three recent Word exploits affects Word for Mac as well.

    Also, to the original question:

    Scanning .doc and .dot files does little to no good for the most recent vulnerability. Windows is coded to open correctly formatted documents with unknown extensions with Word. So all I'd have to do to get around your filter is rename the document to: Exploit!.iamnotavir.us0 and if someone is silly enough to double-click it, they'll be subject to whatever maliciousness I can inflict on them.

    From the e-week article:
    "Do not rely on file-name extension filtering. In most cases, Windows will call Word to open a document even if the document has an unknown file extension. For example, if document.qwer contains the correct file header information, Windows will open document.qwer with Word. Filtering for common extensions such as .doc, and .dot will not detect all Word documents."

  4. MIMEDefang.. customize mimedefang-filter by jayjay_1978 · · Score: 5, Interesting

    Setup MIMEDefang to convert M$ word attachments to PDF using openoffice.
    Any attachments with a .doc extension or a mimetype of application/msword go through this process.
    Also to reduce the overhead, get the sha1sum for the word document, and save the pdf to .pdf
    Before any documents are converted with openoffice, get the sha1sum. if a .pdf already exists, use that file.

    This stills allows people to get the content, which is most of the time, all they want.

    There is also a program called antiword that will convert ms word documents to text, PDF, or PostScript.
    But openoffice does a better job.

  5. Re:You can't... by Anonymous Coward · · Score: 1, Interesting

    I agree. While they haven't banned the sending of .doc files at my company with the recent vulnerabilites, they were blocked for a time a few months ago. In any case, it's often better for people to either A) put the document on a network drive and send a link to it or B) Upload it to a Sharepoint site.

        The advantage is both scenarios is that instead of creating dozens of copies of the same file, everyone viewing it is seeing the same file, which is especially useful when discussing edits or modifications to the document. If someone really needs a personal copy because they don't have network drive access for some reason (i.e. travelling), then they can ask the sender to change the file extension and send it to them separately.

  6. You should be limiting .DOC email exchange anyway by slamb · · Score: 3, Interesting
    Even ignoring viruses/worms altogether, it's not a good idea for users to be exchanging .DOC, .XLS, and .PPT files through email. People do this for two reasons:
    1. Exchanging finished documents for reading. PDF is better:
      1. It can reproduce the results exactly.
      2. It doesn't include Word's "change tracking" information which can cause embarrassing leaks.
      3. It's a standard with many interoperable implementations.
    2. Exchanging in-progress documents for revision. At least for stuff limited to your company, a version control server (like Subversion with friendly TortoiseSVN clients) is better:
      1. Doesn't cause email storage to grow enormously. Instead, a server actually meant for this kind of thing stores only deltas. And only one copy of each document - on most mailservers, the disk space consumed by an attachment is proportional to the number of recipients.
      2. Lets you easily find the latest version of a document. ("Did he send me another copy after this? I'm not sure.")
      3. Lets you easily retrieve any previous version, see changes/authors/checkin comments. (I don't trust Word's built-in change tracking, and you shouldn't either. Its security model is flawed, and I don't think it's reliable to begin with.)
      4. Supports locking/unlocking documents to prevent conflicting changes.
      5. With some setup, supports diffing and merging office documents. You can maintain branches!
      6. Supports searching - where I work, we've plugged in swish-e for full-text searching over our documentation repository.
    I wish my company would just block all .DOC and .XLS files sent from one employee to another. It'd force them to use the documentation repository and save us all a tremendous amount of pain trying to dig through email for the right version of some Product Requirements Document. It'd also stop the whining from people complaining about hitting their email storage limits all the time.