Slashdot Mirror
How Do You Handle New MS Word Vulnerabilities?
chipperdog asks: "With yet another zero-day exploit of MS-Word document files, what are fellow system admins doing to protect themselves against these threats? I have been blocking all .doc and .dot at the mail and proxy servers until malware scanners have signatures to detect and block the malicious files. Of course, this caused a uproar with the users, as there were continuous calls like: 'When can I send and receive Word files again' and 'I can't get anything done if I can't send/receive Word files'. Any suggestion of sending documents in different formats (like rtf, html, txt, or pdf) results in even more creative user 'feedback'. Has anyone done anything creative in their handling of word files — like having qmail-scanner pipe all .doc attachments through something such as wv to convert them to a less exploitable format?"
You can't suddenly cut off the exchange of Word documents in any modern business. Unless you can justify bringing your company to a halt over some vulnerabilities with no real-world risk, you just can't do it.
What I'm listening to now on Pandora...
All attached DOC files are filtered and placed in to a users quarnetine folder (which they have access via a web browser). Simple permissions keep them from accessing the file itself until it can be checked. Once checked, permissions are changed and the user can pull the document.
It's frustrating for the end user as they don't have instant access to their attachment (sometimes there's a 4-hour delay before the file can be manually inspected -- still waiting for some def-files!) and it's taxing my staff time-wise to do this (we've got better things to do than check for any monkey-business in word documents). We've suggested everyone convert to PDFs and send THOSE and it's been working but it's still a disruption.
It's amazing how, we've been fighting this uphill battle to get our users to use Open Office, and now all of the sudden, managers are calling us to make sure all of their users have it. :-) Some days, I like my job. :-)
But this is slashdot. A slashdoter who didn't build his own computer is like a Jedi who didn't build his own lightsaber!
Killing your company's productivity by not allowing the exchange of information? A big no-no. Plus it is all-to-easy to get around (rename the extention, zip the file, etc).
A better solution is to educate the users - send out a mass email explaining the vulnurability, that you shouldn't be opening and doc's you aren't expecting. If you do it is your own damn fault and the timeliness of the fixing of your machine can not be guaranteed. There is no reason to choke business as you have and quite frankly the users have every reason to be upset.
Your users are smart enough to do that? I want your job.
We nuked the site from orbit. It was the only way to be sure.
I don't presume to know your job, but if your users need to subvert the protection scheme in order to use the system for its intended purpose and do their jobs, the protection scheme needs some serious work.
Slashdot Burying Stories About Slashdot Media Owned
OpenOffice.org.
Truth, Just Us, And Hatred For All Mankind!
Use Vim instead.
Actually, a zero-day exploit is an exploit (piece of attack code) that is making use of a previously-undiscovered/undisclosed security vulnerability. Contrast this to freshly discovered security holes that don't have any exploits written for them yet (which is most security announcements), and exploits that have been written to take advantage of previously known security holes.
When we have viruses exploiting Word files, part of our security team sends out a notice that says we're temporarily quarantining the files until we can have them cleared. But really, you can't indefinitely stop word files from coming in.
I'll admit I'm too lazy to read the exact detail of the exploit, but shouldn't this whole situation be alleviated by good, layered network security anyway?
At least one of the three recent Word exploits affects Word for Mac as well.
.doc and .dot files does little to no good for the most recent vulnerability. Windows is coded to open correctly formatted documents with unknown extensions with Word. So all I'd have to do to get around your filter is rename the document to: Exploit!.iamnotavir.us0 and if someone is silly enough to double-click it, they'll be subject to whatever maliciousness I can inflict on them.
.doc, and .dot will not detect all Word documents."
Also, to the original question:
Scanning
From the e-week article:
"Do not rely on file-name extension filtering. In most cases, Windows will call Word to open a document even if the document has an unknown file extension. For example, if document.qwer contains the correct file header information, Windows will open document.qwer with Word. Filtering for common extensions such as
Reasonable or not, Microsoft's suggestion regarding the vulnerability is to "not open or save Word document files"
Setup MIMEDefang to convert M$ word attachments to PDF using openoffice. .doc extension or a mimetype of application/msword go through this process. .pdf .pdf already exists, use that file.
Any attachments with a
Also to reduce the overhead, get the sha1sum for the word document, and save the pdf to
Before any documents are converted with openoffice, get the sha1sum. if a
This stills allows people to get the content, which is most of the time, all they want.
There is also a program called antiword that will convert ms word documents to text, PDF, or PostScript.
But openoffice does a better job.
Well I use Linux so I dont have MS Office but I extract the text from MS Word documents using Antiword or Catdoc and then read them in Vim.
.vimrc to make it automagic:
Antiword: http://www.winfield.demon.nl/
Catdoc: http://www.45.free.net/~vitus/software/catdoc/
Add this to your
autocmd BufReadPre *.doc set filetype="msword"
autocmd BufReadPost *.doc silent %!antiword "%"
autocmd Filetype msword call s:MyMSWordSettings()
function! s:MyMSWordSettings()
set readonly
set hlsearch!
endfunction
For RTF documents, check out UnRTF: http://www.gnu.org/software/unrtf/unrtf.html
The latest vulnerability doesn't require macros.
"Data used by Microsoft Word to construct a destination address for a memory copy routine is embedded within a Word document itself. If an attacker constructs a Word document with a specially crafted value used to build this destination address, then that attacker may be able to overwrite arbitrary memory,"
There's no way to protect from these documents via group policy, short of a group policy that disallows word from running.
Being an ex-network administrator, I have come to the conclusion that it is us who save the company tons of money by keeping it safe from exploits. By practicing good security measures, anti-virus installations, ad-ware remover, etc, it usually cuts down considerably on the amount of work it takes to keep the network infrastructure free of viruses and spyware, allowing time to focus on other important factors, such as Word exploits, migration from windows to a linux OS if all it requires is word processing, etc.
Here's hoping Vista lives up to the hype that under good security measures, it will be somewhat secure. Otherwise, there are alternatives such as migration to linux and OpenOffice and such, which does not suffer from as many exploits that Windows and Office does.
Just me
The reason is simple. Such people can be hired for less money per hour. This increases profitability and thus directly affects management's bonuses. That is what matters to management. Any problems caused by this are obviously the technicians' fault .
- Exchanging finished documents for reading. PDF is better:
- It can reproduce the results exactly.
- It doesn't include Word's "change tracking" information which can cause embarrassing leaks.
- It's a standard with many interoperable implementations.
- Exchanging in-progress documents for revision. At least for stuff limited to your company, a version control server (like Subversion with friendly TortoiseSVN clients) is better:
- Doesn't cause email storage to grow enormously. Instead, a server actually meant for this kind of thing stores only deltas. And only one copy of each document - on most mailservers, the disk space consumed by an attachment is proportional to the number of recipients.
- Lets you easily find the latest version of a document. ("Did he send me another copy after this? I'm not sure.")
- Lets you easily retrieve any previous version, see changes/authors/checkin comments. (I don't trust Word's built-in change tracking, and you shouldn't either. Its security model is flawed, and I don't think it's reliable to begin with.)
- Supports locking/unlocking documents to prevent conflicting changes.
- With some setup, supports diffing and merging office documents. You can maintain branches!
- Supports searching - where I work, we've plugged in swish-e for full-text searching over our documentation repository.
I wish my company would just block allThanks for the links. I know this problem isn't proven on OS X, but based on the executive summary I'd suppose it could be an issue, so to Mac OS X people, textutil(1) can read doc and convert to txt, html, rtf, or even webarchive, so you get all the images.
Textutil is in /usr/bin on an install of OS X, and just acts as a wrapper for the OS X text word processing subsystem.
Don't blame me, I voted for Baltar.
We do not use Microsoft Word at my place of business. This is therefore no longer a concern. If any sysadmin thinks this is a problem, it's clearly time to approach the PHB with it in terms that they will understand. Something along the lines of, "Yes, I'd love to tackle that super-urgent issue of yours, but I'm too busy fighting these n MS Word vulnerabilities" where n is greater than zero. That ought to do it.
Burns: We're building a casino!
McAllister: Arrr. Give me 5 minutes.
OpenOffice allows you to read & write MS-Word docs without having MS-Word. This has worked well for many of my customers, & they enjoy the PDF document production & the ability to recover many broken MS-Office documents simply by opening them in OpenOffice.
OpenOffice also runs on more platforms & is developing faster, & the docs are much easier to externally process (they’re basically ZIPped XHTML in a moderately sane format).
Oh, yes, and it’s much cheaper ($0 per seat) & you don’t have to watch out for time-bombs in the registration or anything like them.
And finally, I like it more. It’s not perfect, but things are generally arranged more sensibly, plus a lot more odd little corner cases are correctly (consistently) implemented.
Got time? Spend some of it coding or testing