Slashdot Mirror

← Back to Stories (view on slashdot.org)

How Do You Handle New MS Word Vulnerabilities?

Posted by Cliff on from the it-maybe-time-to-look-into-a-new-word-processor dept.

chipperdog asks: "With yet another zero-day exploit of MS-Word document files, what are fellow system admins doing to protect themselves against these threats? I have been blocking all .doc and .dot at the mail and proxy servers until malware scanners have signatures to detect and block the malicious files. Of course, this caused a uproar with the users, as there were continuous calls like: 'When can I send and receive Word files again' and 'I can't get anything done if I can't send/receive Word files'. Any suggestion of sending documents in different formats (like rtf, html, txt, or pdf) results in even more creative user 'feedback'. Has anyone done anything creative in their handling of word files — like having qmail-scanner pipe all .doc attachments through something such as wv to convert them to a less exploitable format?"

10 of 157 comments (clear)

  1. You can't... by Otter · · Score: 5, Insightful

    You can't suddenly cut off the exchange of Word documents in any modern business. Unless you can justify bringing your company to a halt over some vulnerabilities with no real-world risk, you just can't do it.

    --
    What I'm listening to now on Pandora...
  2. Open Office by Scott+Lockwood · · Score: 3, Interesting

    It's amazing how, we've been fighting this uphill battle to get our users to use Open Office, and now all of the sudden, managers are calling us to make sure all of their users have it. :-) Some days, I like my job. :-)

    --
    But this is slashdot. A slashdoter who didn't build his own computer is like a Jedi who didn't build his own lightsaber!
  3. Wow... glad you don't work for me. by everphilski · · Score: 4, Insightful

    Killing your company's productivity by not allowing the exchange of information? A big no-no. Plus it is all-to-easy to get around (rename the extention, zip the file, etc).

    A better solution is to educate the users - send out a mass email explaining the vulnurability, that you shouldn't be opening and doc's you aren't expecting. If you do it is your own damn fault and the timeliness of the fixing of your machine can not be guaranteed. There is no reason to choke business as you have and quite frankly the users have every reason to be upset.

    1. Re:Wow... glad you don't work for me. by Joe+The+Dragon · · Score: 3, Insightful

      So what to tell the people in HR that are expecting resumes?

  4. Its pays to be thorough by PingSpike · · Score: 4, Funny

    We nuked the site from orbit. It was the only way to be sure.

  5. Re:Rename the files by Rob+T+Firefly · · Score: 4, Insightful

    I don't presume to know your job, but if your users need to subvert the protection scheme in order to use the system for its intended purpose and do their jobs, the protection scheme needs some serious work.

    --
    Slashdot Burying Stories About Slashdot Media Owned
  6. The simplest way. by revxul · · Score: 4, Insightful

    OpenOffice.org.

    --
    Truth, Just Us, And Hatred For All Mankind!
  7. Re:I don't by CerebusUS · · Score: 3, Interesting

    At least one of the three recent Word exploits affects Word for Mac as well.

    Also, to the original question:

    Scanning .doc and .dot files does little to no good for the most recent vulnerability. Windows is coded to open correctly formatted documents with unknown extensions with Word. So all I'd have to do to get around your filter is rename the document to: Exploit!.iamnotavir.us0 and if someone is silly enough to double-click it, they'll be subject to whatever maliciousness I can inflict on them.

    From the e-week article:
    "Do not rely on file-name extension filtering. In most cases, Windows will call Word to open a document even if the document has an unknown file extension. For example, if document.qwer contains the correct file header information, Windows will open document.qwer with Word. Filtering for common extensions such as .doc, and .dot will not detect all Word documents."

  8. MIMEDefang.. customize mimedefang-filter by jayjay_1978 · · Score: 5, Interesting

    Setup MIMEDefang to convert M$ word attachments to PDF using openoffice.
    Any attachments with a .doc extension or a mimetype of application/msword go through this process.
    Also to reduce the overhead, get the sha1sum for the word document, and save the pdf to .pdf
    Before any documents are converted with openoffice, get the sha1sum. if a .pdf already exists, use that file.

    This stills allows people to get the content, which is most of the time, all they want.

    There is also a program called antiword that will convert ms word documents to text, PDF, or PostScript.
    But openoffice does a better job.

  9. You should be limiting .DOC email exchange anyway by slamb · · Score: 3, Interesting
    Even ignoring viruses/worms altogether, it's not a good idea for users to be exchanging .DOC, .XLS, and .PPT files through email. People do this for two reasons:
    1. Exchanging finished documents for reading. PDF is better:
      1. It can reproduce the results exactly.
      2. It doesn't include Word's "change tracking" information which can cause embarrassing leaks.
      3. It's a standard with many interoperable implementations.
    2. Exchanging in-progress documents for revision. At least for stuff limited to your company, a version control server (like Subversion with friendly TortoiseSVN clients) is better:
      1. Doesn't cause email storage to grow enormously. Instead, a server actually meant for this kind of thing stores only deltas. And only one copy of each document - on most mailservers, the disk space consumed by an attachment is proportional to the number of recipients.
      2. Lets you easily find the latest version of a document. ("Did he send me another copy after this? I'm not sure.")
      3. Lets you easily retrieve any previous version, see changes/authors/checkin comments. (I don't trust Word's built-in change tracking, and you shouldn't either. Its security model is flawed, and I don't think it's reliable to begin with.)
      4. Supports locking/unlocking documents to prevent conflicting changes.
      5. With some setup, supports diffing and merging office documents. You can maintain branches!
      6. Supports searching - where I work, we've plugged in swish-e for full-text searching over our documentation repository.
    I wish my company would just block all .DOC and .XLS files sent from one employee to another. It'd force them to use the documentation repository and save us all a tremendous amount of pain trying to dig through email for the right version of some Product Requirements Document. It'd also stop the whining from people complaining about hitting their email storage limits all the time.