Slashdot Mirror

← Back to Stories (view on slashdot.org)

Word Vulnerability Compromised US State Dept.

Posted by samzenpus on from the you've-got-a-virus dept.

hf256 writes "Apparently hackers using an undisclosed (at the time) vulnerability compromised the State Departments network using a Word document sent as an email attachment. Investigators found multiple instances of infection, informed Microsoft, then had to sever internet connectivity to avoid leaking too much data!"

3 of 207 comments (clear)

  1. Re:Microsoft Logic by neil.orourke · · Score: 3, Informative

    It doesn't necessarily mean that there are more security holes. Remember the Win2K patch that killed Compaq desktops with a particular network card?

  2. How the **** is this insightfull? by Mr+44 · · Score: 3, Informative
    Wheres the -1, Misinformed?

    That's where "sane" operating systems differ. User space and the OS are heavily separated, in fact, user space for each user is separated from other users, and almost all services run as a unique user. This intentional separation provides very robust security, and is absolutely necessary to creating a secure system.

    Are you implying that is not the case with windows??? A quick look in task manager shows some system processes running as your user account, some as "LOCAL SERVICE", some as "NETWORK SERVICE", (both restricted accounts) and some as "SYSTEM" (=root). And a quick look at top on my linux box sure doesn't show "almost all" services running as unique users.

    And sure, its up to the administrator to configure it so the user account is not an administrator, but I've never seen a government system where a domain user account has local admin rights.

    In the specific case of this vulnerability, the word document was able to run arbitrary executable code as the current user. This presumably allowed access to network shares, and then sending the data back out (via HTTP most likely). That sort of thing would be possible with any operating system.

    The only area you are correct in is that on linux the flaw could be patched quicker... But in a large organization, it likely could still be preferable to block the exploit with IDS/firewall rules than by rolling out a client patch...
  3. Re:Scary by ArsenneLupin · · Score: 4, Informative

    The crux of the problem here is that MS Word needs or provides Internet access for some of it's functions. Even if it had any buffer overflows, the problem would not be exploitable from remote systems. Although Word does probably provide Internet access to its macros and other nasties, this was not a necessary condition for this to work. Even if MS Word didn't have any code within to connect to the internet, any supposed exploit would have been able to supply its own. And from the looks of it, this is what happen here. Apparently, this was some kind of call-back program that would somehow tunnel out through the firewall, connect to the hacker's control console and accept instructions from there.

    Such a thing is rather complex, and probably not pre-existing within word. It was brought in by the trojan itself.