Word Vulnerability Compromised US State Dept.

hf256 writes "Apparently hackers using an undisclosed (at the time) vulnerability compromised the State Departments network using a Word document sent as an email attachment. Investigators found multiple instances of infection, informed Microsoft, then had to sever internet connectivity to avoid leaking too much data!"

Great news for open formats

[Beuno]

Well this should push everything towards open document formats a bit more, so it might just be a good thing...

Re:Great news for open formats

[aputerguy]

Friends don't let Friends use Micro$oft...

Re:Great news for open formats

[drago177]

It would be so easy to just install StarOffice on each computer (keep Word), and ask the more technical departments to start using it, if only to save docs in Word format at first. I did this with the last company I worked at, nobody ever even complained. The cost was very minimal, and it actually saved a lot of money and time when an excel file corrupted itself. MS could not open it, but SO opened then re-saved it in MS format, then it worked fine.

Re:Great news for open formats

[Gerzel]

I think one problem is that we are making document formats that are far more than just what they are ostensibly used for. Word processing documents are generally meant to hold blocks of text, some pictures and charts, and some internal pointers. Does a word processing format really need java script, and support for every feature under the sun?

However a new format for every feature doesn't work too well either. Perhaps an extendable document format that plainly details what features are used in the document, so you can tell if that Word doc in your email has more than just the text of that newly leaked Harry Potter novel.

Re:Great news for open formats

[Anonymous+McCartneyf]

But if Open Document Text does almost everything .doc files do, how can we be sure it doesn't have similar back doors?

Re:Great news for open formats

[berzerke]

How come you recommend StarOffice over OpenOffice.org?...

Well, perhaps some policy forbids installing free (as in no invoice) software, or the policy requires a support contract.

Re:Great news for open formats

[drago177]

I heard the install was faster/easier, and it was. You're right about the support - never tried it, but I did want to contribute to the open source concept, and $ rules the world. I knew those above me wouldn't notice an extra $20 on each pc, but they were scared of 'non-professional software', so to be able to tell them there was support was a necessary safeguard.

Oh, btw, they were using that excel sheet to keep track of a fleet of buses (this co was archaic in their IT dept when I got there). A radio dispatcher was frantically telling the bus drivers there was a computer problem and to 'hold tight' for 15 minutes till I got there, then 5-10 more minutes to figure out MS file recovery wouldnt cut it, and 5 to install SO from network and fix the prob. The only serious occasion that pitted MS vs SO and the results were stark. So no Im not on Sun's payroll, but the story ought to be a commercial, and I walked out like a hero so I'm happy to tell it.

Re:Great news for open formats

[Eggplant62]

Use the SOURCE, Luke.

With open software, you can look at the source code and see exactly what it does and test it for all the vulnerabilities you want and get them removed, by yourself if you find yourself so talented. Only the monkeys in Redmond know what is really going on in Windows, and anyone using their products is dependent upon MS and MS only for a solution. That may come in days, weeks, but most likely months after a vulnerability is found. Meanwhile, someone ends up releasing details of the vulnerability, then codes up a nasty bug to take adavantage. The fact that MS software is so full of holes and has no real peer-review process among the general population of all possible coders interested in fixing bugs is its weakness in comparison.

Re:Great news for open formats

[boer]

> With open software, you can look at the source code and see exactly what it does

I though even the OS community had realised by now how ridiculous this argument is. World economy would in effect come to a halt if every company and public office started to scan source codes for potential vulnerabilities. This is hardly a selling argument and being a wise-ass about it has never helped the OS movement.

Having a goal of zero vulnerabilities is such complex software as an office suite is strikes as feasible only to an ideologist nerd. In practise there will always be vulnerabilities as long as human beings will be responsible for the design and programming. And having gazillions of eyes searching through the source code presumably on the company dollar is not effective way to remove those faults.

Re:Great news for open formats

[mattpalmer1086]

Parent is making a valid point, and is not a troll, whoever modded them that way. The 'more eyes' argument doesn't really work for me either. I use open source software all the time, and I rarely have a look at the source code, and even less frequently take the trouble to understand even a small part of it.

What does work for me with open source is that the nature of open, distributed development tends to promote code modularity, which helps keep those defect counts down. And the fact that code is publicly available exerts an influence on developers to publish code they aren't be ashamed of (unlike what happens in proprietary software development with tight deadlines set by the sales team making unrealistic promises to clients - I have been there).

However, there is a real distinction between defect-free software (probably does not exist) and software that intentionally includes back-doors. With open-source, you can have more confidence that there is no back door, spy-ware, or anything else that shouldn't be part of the application. But it certainly doesn't mean the software will be defect free.

Re:Great news for open formats

[Professor_UNIX]

Instead of waiting for the 1.5 - 2 hours for Microsoft Office to install I just downloaded star office and installed (took all of 10 minutes).

You know, you can't really count the amount of time it takes to download Microsoft Office via BitTorrent from a pirate site as part of the install time. Office 2003 took me about 15 minutes to install. Quit making shit up.

Re:Great news for open formats

[tomstdenis]

Does that include the time for downloading updates, rebooting, and praying towards Redmond?

Tom

Re:Great news for open formats

[zacronos]

a) Everyone CAN look at it [the source] (so no backdoors will be implemented)

a) is correct, conclusion is not (see Ken Thompson's attack against a compiler)

Actually, I would say a)'s conclusion was correct (and yes I'm familiar with the attack you mentioned). The poster did not say "no backdoors can exist in the software", but "no backdoors will be implemented". Assuming the poster meant "no backdoors will be implemented in the software being examined", I would say it is a correct statement -- there is a difference between a backdoor implemented in the source of software and a backdoor injected into the software by a compiler. Those are 2 different vectors that can both allow a backdoor in software (and both are possible regardless of whether it is closed or open source). Open source greatly reduces the likelihood of one of those vectors being attempted, and if attempted it probably reduces the expected length of time it will persist unnoticed.

Saying open source software is no protection against backdoors because it is vulnerable to compiler-injected code is like saying that wearing a bullet-proof vest into a warzone is no protection because you're still just as vulnerable to stepping on a land mine.

Re:Great news for open formats

[LO0G]

Yeah, because those open document formats are 100% safe from coding bugs in the applications that parse them.

And unquestionably OpenOffice is immune to parsing errors.

Hmmm...hackers

[Spookticus]

It seems those hackers missed the Philippines and accidentally hit the state department instead

Re:Hmmm...hackers

[dclozier]

and bush won again. just who are these hackers? :D

Quick

[WED+Fan]

Quick everyone, the bandwagon is getting ready to leave. Jump on.

Re:Quick

[Sancho]

What magical office software do you use that is apparently 100% bug free?

Re:Quick

[grcumb]

What magical office software do you use that is apparently 100% bug free?

Emacs

*ducks and runs*

Re:Quick

[aichpvee]

Does that include a decent text editor yet?

Re:Quick

[Jugalator]

Tsk, tsk, Linux users these days...
I type OpenOffice.org Writer XML in VI... In the format's ZIP-compressed form!

Re:Quick

Sure, it comes with a preinstalled vi implementation.

Re:Quick

[lanswitch]

But does it run Linux?

Scary

[nicolas.kassis]

The fact that a simple Word document can cause such a big problem is really sad. How can you tell a few thousand of people not to open word document attachment? I mean, where I work, users receive tons of documents (pdf, office, autocad) files by email from vendors and such, I guess the only defense is good email filtering but still a 0-day attack would make that useless.

Re:Scary

[mrbluze]

The fact that a simple Word document can cause such a big problem is really sad. How can you tell a few thousand of people not to open word document attachment?

Of course this is a popular article because it's more evidence of how Microsoft's 'professional' products are so amateurish, but you're right, you can't tell thousands of people not to open an attachment.

The root of the problem doesn't lie in Word documents, or Word for Windows. The problem lies in Windows, period. The operating system is practically incapable of separating important and sensitive data from junk-mail and untrusted documents from the outside. In such a place as the State Department, it's scandalous.

Whilst hypothetically, Linux is also vulnerable (eg: through some flaw in Open Office), a properly configured system could protect itself without needing to rely on the end user to manually screen every bit of junk they come across. Sure there would potentially have been some corruption of data, maybe some low level leakage, but really, this all points to a hopelessly overcomplicated and poorly designed OS. Naughty Bill!

Re:Scary

[shawn(at)fsu]

Why would you ever open anything not from a source you know if you where in the State Department? ...
FTA (which isn't entirely clear.
The mysterious State Department e-mail appeared to be legitimate and included a Microsoft Word document with material from a congressional speech related to Asian diplomacy, Reid said. By opening the document, the employee activated hidden software commands establishing what Reid described as back door communications with the hackers.
It's not clear but I wouldn't be so quick to say the employee was stupid for opening an email with out knowing the source. If it appeared legit and it was just a plain word doc with not VB scripts then it's not all his/her fault.

And why are you taking aim at governments in particular, any government corporation or single home user could have been fooled by this.

Re:Scary

[Sancho]

Runing ./configure or make or make install could cause just as large a problem. Do you read through those scripts before running them?

Furthermore, buffer overflows could exist in just about any program. There could be one in emacs right now, triggered by reading a file into the buffer. Then it would be "scary.. The fact that a simple text file can cause such a big problem is really sad."

Unfortunately, they didn't disclose the nature of the vulnerability. "hidden software commands" in the mass media could be anything from shellcode to an executable embedded in the document, to a macro. Since Microsoft patched it, it was probably either something that autoran or an overflow.

Re:Scary

[Architect_sasyr]

It's interesting to note that the compromises on our machines don't occur on our terminal servers or the critical PC's, they only occur on the one's that "absolutely must have" administrative access on their local machine.

A properly configured windows system is as secure as a properly configured linux system (well, in this case anyway!). And in case your wondering: If our helpdesk can't solve the issue within 15 minutes the PC is re-imaged no questions asked no data saved. People store stuff on network servers because they're told to, anyone who doesn't comply with IT is made to suffer the consequences.

Re:Scary

[ozmanjusri]

If our helpdesk can't solve the issue within 15 minutes the PC is re-imaged no questions asked no data saved.

Christ on a stick! That's a bloody good reason to hide EVERY problem from the IT Nazis.

Does anyone ever get any work done?

Re:Scary

[tftp]

A properly configured windows system is as secure as a properly configured linux system

It is also unmanageable by the operator. The IT does not have time to run around and help everyone when he needs to connect to a printer, for example, or install an approved, free or site-licensed piece of software. A simple XP user can't even change his own preferences in Word; a power user can't connect to a printer (but can install some software.) The XP privileges and their effects are as chaotic as they can be.

Re:Scary

[jkrise]

Runing ./configure or make or make install could cause just as large a problem. Do you read through those scripts before running them?

Furthermore, buffer overflows could exist in just about any program. There could be one in emacs right now, triggered by reading a file into the buffer. Then it would be "scary.. The fact that a simple text file can cause such a big problem is really sad."

Nice attempt to evade the issue by raking up redundant matters. The crux of the problem here is that MS Word needs or provides Internet access for some of it's functions. Even if it had any buffer overflows, the problem would not be exploitable from remote systems.

The fact that Word is designed to occasionally talk over the internet coupled with it's hooks into the OS via things like VBA etc. is the problem. In fact, the main problem here is not Word or Office, it is the Windows architecture that is vulnerable.

Re:Scary

[wvmarle]

Runing ./configure or make or make install could cause just as large a problem. Do you read through those scripts before running them?
Of course I don't. Nobody does. But the difference is, I wouldn't run a script like that when receiving it via e-mail, unless specifically requested from the sender. Word documents are another matter. I regularly (few times a week) get them unexpected, from unknown origin, and do open them. That is because I am expecting new sales/purchase leads from new customers/suppliers - that's part of my business. And often they send their info as ms word attachment. That said, I use Linux/OOo so not much risk opening doc files.
The scripts I run are downloaded from "trusted" sources - websites of known open-source software, collection sites like sourceforge, etc.

Wouter.

Re:Scary

[dave1g]

actually you can. you just have to be hard core like the military. I work for a military contractor (a university research lab) we received an email telling us to not use word documents what so ever for a certain period of time. and if we didnt comply we lose our contracts. all attachments were being made in rich text format, some of the non techies were scrambling to figure out how to do it but life went on.

not trying to excuse microsoft for their shitty product, just saying you can tell people to stop using word for a few weeks if there are real consequences.

Re:Scary

[Architect_sasyr]

Actually its a very effective method for both the IT team and the people who desperately need the administrative access. IT aren't required to understand every little john doe program that these people can want to install so they don't have to support them (this is very clearly communicated to these users).

It also means that we have a relativly standardised form across the board despite having PC's everywhere and very quickly weed out the users who think they're smart but aren't really.

An example of a good operator: there's a bloke over in administration who I would swear used to work in IT. He's got Open Office installed when everyone else uses Microsoft Office, he uses firefox, thunderbird and trillian for his messenger. About 500 theme packs and a few other bits of software. According to our helpdesk logging system he has only ever called once, and this was when he patched himself for the new daylight savings time last year. Everyone else had the problem as well.

Also, so that those who aren't aware know, you don't have to be a local administrator to install a network printer. Anyone hooking a printer directly to a PC in a corporate environment is either a director or an IT who has lots to learn.

Re:Scary

[Raideen]

As the GP stated, "People store stuff on network servers because they're told to, anyone who doesn't comply with IT is made to suffer the consequences." Keeping data on the individual PCs is costly. In an environment that's setup properly (folder redirection at least, no write access to the hard drive outside of the home directory, maybe the addition of roaming profiles), there's no reason to worry about data stored on the local disk. If they re-image the machine and you still have issues, swap out the hardware and you're working again. Such policies can easily save a user hours of downtime and it also saves the time of the IT staffer. It all translates into saving money for the company.

Re:Scary

[ArsenneLupin]

The crux of the problem here is that MS Word needs or provides Internet access for some of it's functions. Even if it had any buffer overflows, the problem would not be exploitable from remote systems. Although Word does probably provide Internet access to its macros and other nasties, this was not a necessary condition for this to work. Even if MS Word didn't have any code within to connect to the internet, any supposed exploit would have been able to supply its own. And from the looks of it, this is what happen here. Apparently, this was some kind of call-back program that would somehow tunnel out through the firewall, connect to the hacker's control console and accept instructions from there.

Such a thing is rather complex, and probably not pre-existing within word. It was brought in by the trojan itself.

Re:Scary

[jimicus]

Christ on a stick! That's a bloody good reason to hide EVERY problem from the IT Nazis.

Does anyone ever get any work done?

Depending on your environment, that can actually be the quickest, easiest way to solve a problem.

The GP didn't explain his environment, but in a lot of larger companies you'll find things are standardised as much as is humanly possible. In IT departments, "as much as is humanly possible" quite often isn't very much, so reimaging PCs there is a PITA for all concerned.

But in a call centre, it's fine. In any office where all the people have clear, well-defined roles and you know in advance what software they need (let's say Office, one or two proprietary apps and that's about it), again, it's OK. Things only get complicated when the tools people need to fulfil their roles varies substantially from person to person and even from week to week.

Re:Scary

[John+Betonschaar]

Actually its a very effective method for both the IT team and the people who desperately need the administrative access. IT aren't required to understand every little john doe program that these people can want to install so they don't have to support them (this is very clearly communicated to these users).

[..]

An example of a good operator: there's a bloke over in administration who I would swear used to work in IT. He's got Open Office installed when everyone else uses Microsoft Office, he uses firefox, thunderbird and trillian for his messenger. About 500 theme packs and a few other bits of software. According to our helpdesk logging system he has only ever called once, and this was when he patched himself for the new daylight savings time last year. Everyone else had the problem as well.

I'd say that's a pretty stupid way to 'administer' your workstations... Why can these people even install all this shit themselves? How can some bloke in administration 'patch his machine' himself? And how does making them not call support because they know they won't fix your problem help with the maintenance of your network. The only thing I can see something like that heading to is an IT support department that only answers the utterly stupid requests and hardware failures. Employees just don't bother to call them because they don't want there machine re-imaged, so they just start fooling around themselves, or ask some guy like the 'bloke from administration' to 'fix' their system. Eventually that can only and in a maintenance and security nightmare.

Re:Scary

[ArsenneLupin]

Excuse me... how would such a call-back program be initiated, "Shell code". Typically, a buffer overflow causes some user data (contained in Word document) to overwrite the stack, including the return address. The function in Word where this happened would thus not "return" to its intended spot (the caller), but rather to some other place in memory. This would be chosen by the attacker in such a way as to point to some place within the document. The document would contain machine-language code for the rest of the program (presumably, it would drop an exe somewhere, and register it as a service or an autorun application).

The trick of course is to hide the code in such a way that it doesn't appear as gibberish in Word. But that could be achieved by hiding it inside unused data of a picture or whatever.

and how would it perform the desired function Once Word has been tricked to execute the attacker's code, that code can basically do anything it likes, as it can now directly talk to the OS, without going through whatever functionality Word provides.

Does it not mean that Word has the provision / bug of being able to initiate external programs that can perform actions at a higher privilege Until very recently (Vista), opening network sockets didn't require any particular privileges. Word would have those privileges, even if it did not use them itself.

Is that not a serious architectural bug in Word AND IN Windows as well? Nope, only in Word. Before Vista, all programs could connect to the network.

I think 'the trojan' is a weak and misleading description for this program. It is an exploit for a hole in the operating system... nothing less. Nope. It's only an exploit in the application (Word). The OS at that time (spring last year) was not yet supposed to block this kind of actions.

Frankly, I wonder how you can speculate with any accuracy regarding this problem, since the article is extremely short on meaningful data regarding the bug exploit. Learn to read between the lines ;-)

• Although they were aware of the program's existence (and presumably did some reverse engineering on it), they were "surprised" when they saw that the program was indeed shipping sensitive documents outside ===> this implies to me that the whole behavior was not coded within the program itself. Instead, it must have been set up in a way to take commands from an outside source (on which communication they presumably eavesdropped, having reverse-engineered the trojan)
• It's common sense that the state department is protected by some firewall ===> but once you've got some agent inside (i.e. that trojaned Word doc), it's relatively trivial to tunnel through any firewall (for instance just connect back to a Web server hosted by you, and use that to take commands / report back status). Depending on the specifics of the firewall, other methods may exist (tunneling via DNS, ICMP ping packets, IRC, MSN, etc.)
• Microsoft addressed this as some kind of "new" vulnerability ===> which pretty much excludes macros, which (in Microsoft's mindset...) are not a vulnerability, but "by design". The most likely candidate would be a buffer overflow.

Re:Scary

[Fred_A]

The dream of every sysadmin, to have that kind of power... Open a word file and you'll be fired. *sigh*

Re:Scary

[Architect_sasyr]

Data: Storing the data on a samba share, and mapped network drives. To the GP, I would suggest that you haven't had a large corporation to support. We support a nation wide network (ok, so it's australia, we're still a nation!) with only 13 support staff including our in-house development team. The bloke in administration wants to be able to have his funky theme pack, and use OO.o, Firefox and Thunderbird. These are not standard across the organisation, and he understands this. The IT Support team is not there to fix every little problem, and as I mentioned, not every person has the PC or the administrative access on said PC. The IT Support team is there to fix the standard problems with the company standard software. The parent to this post has it right, all data is stored on a network drive any data on the local machine is considered loseable, and the users understand this.

It's an interesting statistic that our IT department get more calls than any other department in the corporation (we're a transport company, so we get a lot of calls to arrange pickups/delivery's). The users know that they can call us, they know that we'll try to fix their problem. 15 minutes isn't a hard and fast rule but the users understand that if we feel it is necessary we will call it in.

My userbase respects my team. They know that we work hard to keep things going for them and they are willing to wait for us to find a resolution to their problem.

Perhaps this is unique to my company, or perhaps this is unique to Australia and the "she'll be right mate" attitude we're so famous for, or perhaps this is just the way we support our staff and the relationship with them. I leave it to each slashdotter to decide.

Oh and we only use certain printers across the company (standards again ;) so each image comes with all the print drivers the user should ever need.

(Insert Troll Here)

[WhiteWolf666]

Queue the legion of Microsoft apologists, saying things like:
a) It's only because MS Office has the largest market share, this could of happened to any office suite!
b) It's not a big deal, obviously the state department's IT department is incompetent.
c) Damn Hackers, always trying to ruin a good thing!
d) Macs run on Intel processors now, so they're vulnerable too!
e) This is probably because the NSA sponsors SELinux.
f) In Soviet Russia, MS Office hacks YOU!

Did I miss any?

Re:(Insert Troll Here)

[Beefchief]

g) Cue the Grammar Nazi that points out the difference between "cue" and "queue" :)

Re:(Insert Troll Here)

[necrostopheles]

h) And the one that points out could of != could've

The first is a phrase that doesn't make sense, and the second is a contraction of "could have".

Re:(Insert Troll Here)

[jimicus]

You joke, but I'd point out that a government department (particularly in a large, powerful country like the US) will always be a very attractive target - particularly for blackhats who know what they're doing rather than script kiddies.

Yet the same government has politicians who are nobbled by Microsoft into saying that open source is less secure because anyone can look through it for security bugs.

It proves a set of closed vs open source arguments

[postbigbang]

1) the attack, once found, would have a bevy of coders working on it (we hope, of course)

2) the testing and regression doesn't have the dependency matrix that Word does, and it's likely that if there was a link, it could be both understood and remedied quickly thru an open code supply chain

3) multiple hackers (oops, I mean coders) would likely offer variances of a patch, of which perhaps several would/could be part of the subsequent 'patched' tree

4) eight weeks is a travesty, and that the State Department of the United States of America didn't have an IDF that could detect the abberant traffic is just plain malfeasant. Heads should roll.

Good Times

[QuantumG]

Ahh, I remember the days when a virus spreading via email was just a silly joke that everyone knew was impossible.

Thanks Microsoft.

Only fooling themselves

[drago177]

At first, the hackers did not immediately appear to try stealing any U.S. government data. Authorities quietly monitored the hackers' activity, then tripwires severed Internet connections

If you find evidence of a break-in, its possible the attackers are also connecting in a way you haven't yet detected. Hope they know what they're doing. Given their reputation, I doubt it.

The airlock is closing...

[djupedal]

"...then had to sever internet connectivity to avoid leaking too much data!"

"Cap'n, we're having a wee bit 'o trouble in IT - we're leaking data down here like no one's bloody business - we may have to sever communications!"

"Scottie - is it really that bad...? Isn't there some alternative that will buy us more time??!! I need more time, dammit man!"

"Cap'n, I'm only a Star Fleet Engineer, not the Queen's magician..."

"Well, Engineer...see if you can pull a rabbit out of your ass and buy me five more minutes before you cut us off. That's all we need to make the jump, and after that you can cut your nuts off for all I care!"

"Aye, Cap'n...do me best - one shit-stained rabbit, com'n up - IT out!"

OS and Apps must be seperate!

[jhfry]

Anytime that applications are allowed to access files or capabilities beyond what is absolutely necessary to perform their function, there is a risk.

Microsoft has created some of the most powerful office tools by leveraging tons of existing code that wasn't exactly designed for the intended purpose.

For example, I love VBA (visual basic for applications)... it can make it very easy to turn a basic spreadsheet into a pseudo application. The problem is, VBA has too many ties to the OS.

That's where "sane" operating systems differ. User space and the OS are heavily separated, in fact, user space for each user is separated from other users, and almost all services run as a unique user. This intentional separation provides very robust security, and is absolutely necessary to creating a secure system.

I cannot blame anyone but MS for this... and not the MS Word or Office team. If the OS were properly designed so that user space applications were properly separated, issues such as this would not exist.

The best part is how long in coming the patch for this is... if these systems were running anything open source, a preliminary patch would be made in a matter of hours (assuming that it was posted immediately to an appropriate mailing list or IRC channel).

I can't wait until the saying is changed to "Everybody is getting fired for buying Microsoft"... because, IMO, any IT manager who gives a shit about the "INFORMATION" portion of their title should be fired for trusting it to MS's proprietary bullshit!

Re:OS and Apps must be seperate!

[goofballs]

That's where "sane" operating systems differ. User space and the OS are heavily separated, in fact, user space for each user is separated from other users, and almost all services run as a unique user. This intentional separation provides very robust security, and is absolutely necessary to creating a secure system. I cannot blame anyone but MS for this... and not the MS Word or Office team. If the OS were properly designed so that user space applications were properly separated, issues such as this would not exist. this has nothing to do with separation of the user space- the app is run as a unique user, and the information stolen is that available to that user. there is no suggestion that privilege escalation occured in this attack.

Opendoc

[Billly+Gates]

Well its a good thing the government standardizes on opendoc and does not cater to special interests like Microsofts lobbiests when making requirements for secure workstations.

Microsoft is Like Internet of Old

[tymbow]

I had an interesting discussion the other day with some colleagues and we came to a consensus that many Microsoft products were and still are, or at least inherit, a design philosophy similar to that of the Internet when it was first created. The Internet was built on a basis of implied trust and as we have seen in present times, particularly with e-mail and the SMTP protocol, this model of design is a poor foundation. To counter these issues we need to design more and cleverer countermeasures in an escalating war with miscreants; a parallel we also see in Microsoft products with never ending cycle of Anti-Virus and Anti-Spyware updates and patches required to deal with both programming flaws are poor design choices that assumed trust (recall the ILOVEYOU debacle). The real kicker is that you could argue that many of the problems we now face on the Internet are largely due to poor design in Microsoft software which as I noted parallels an original design methodology of the Internet. We've had several articles earlier in the week pushing a view that the Internet needed to be re-architected due to its flawed security design (although I think it's more about commerce and control but I won't go there for now) - is it not also time to re-architect Microsoft and their approach to developing products? Would we even have these problems if not for Microsoft? My two cents.

Re:Microsoft Logic

[neil.orourke]

It doesn't necessarily mean that there are more security holes. Remember the Win2K patch that killed Compaq desktops with a particular network card?

Must suck to be Lenovo...

[cunina]

...knowing that your products were banned from the State Department for some theoretical and highly unlikely exploit, while Microsoft Word continues to be used there despite a documented (no pun intended) security breach attributed to it.

open formats alone won't save you

[secPM_MS]

It is easy to condemn Microsoft for the vulnerabilities in Office, but the root issue here is the rich functionality in modern office suites. Office came to dominate the market by its rich functionality, tight integration, and ease of use. The addition of sophisticated scripting functionality allowed organizations or integrators to add yet more value. It also created a fertile environment for malicious attackers. As long as the Windows operating system was easily broken, nobody bothered much with attacking the application stack. As Microsoft has raised the bar in the attack resistance of the operating system, attacks have moved up the stack. I was not at MS at the time, but I do not believe that security has at the top of the stack for Office 11 and earlier. I do know that substantial hardening was performed on Office 12, which I believe is now marketed as Office 2007. From my point of view, Office 12 should be viewed as a very important security update to Office 11. I know, they changed the UI. I wish they had left a "classic" option. They didn't. But Office 12 is far less vulnerable than Office 11.

In their determination to sucessfully match Office's rich features, Open Office has acquired similar vulnerabilities. One evaluation I saw some time ago concluded that Open Office was likely to be more vulnerable than Office.

If you want to be secure, run software that does what you need, and NO MORE! Rich functionality and extensibility are the attack points. Not many people want to restrict themelves to txt files or filtered html, let alone edit any longer with editors such as vi or microemacs. Due to their extensibility, pdf and postscript are suspect in the eyes of the truly paranoid, let alone the complex modern formats.

How the **** is this insightfull?

[Mr+44]

Wheres the -1, Misinformed?

That's where "sane" operating systems differ. User space and the OS are heavily separated, in fact, user space for each user is separated from other users, and almost all services run as a unique user. This intentional separation provides very robust security, and is absolutely necessary to creating a secure system.

Are you implying that is not the case with windows??? A quick look in task manager shows some system processes running as your user account, some as "LOCAL SERVICE", some as "NETWORK SERVICE", (both restricted accounts) and some as "SYSTEM" (=root). And a quick look at top on my linux box sure doesn't show "almost all" services running as unique users.

And sure, its up to the administrator to configure it so the user account is not an administrator, but I've never seen a government system where a domain user account has local admin rights.

In the specific case of this vulnerability, the word document was able to run arbitrary executable code as the current user. This presumably allowed access to network shares, and then sending the data back out (via HTTP most likely). That sort of thing would be possible with any operating system.

The only area you are correct in is that on linux the flaw could be patched quicker... But in a large organization, it likely could still be preferable to block the exploit with IDS/firewall rules than by rolling out a client patch...

Well in my office

[th3rmite]

Most people who are not familiar with IT in the US Government have NO IDEA how dependent even the military is on MS products. Think MS based virii, worms and exploits aren't on classified networks? Networks that don't even share a common hardware link to the internet...

oh good lord

[Essequemodeia]

Thank god there are no file sharing users/security risks at the State Department. It's better to populate an important governmental agency with drones as opposed to internet savvy employees who can't assist network administrators by giving them a slightly more informed heads up regarding odd or bizarre 'puter goings-ons. I hate my own sarcasm. Hate it.

slight modification to your proposal

[drachenstern]

One of our clients email is setup so that if you send them an attachment without a particular second attachment, their firewall drops the attachment and only gives you the file. Lemme spell it out for the slow students in the class.

A customer needed an instruction for how to remove the lid from a specialty box. (for field support purposes, the field guys could be morons, so better to have something from the vendor)

He calls me and asks for it, I whip something up in PDF and shoot it over to him.

He calls me and says, got your email but not the attachment.
Me: Huh?
Him: When I send this email, reply to it and keep the attachment that's there and attach the ddoc again.

So, why is the US Govt not using the same thing? Can it really cost that much to implement (obv not)

Scanning at the mail server.

[MulluskO]

A sane email policy blocks executable files and archives containing executables, but allowing dot docs in is probably unavoidable.

I wonder then, if it might be possible to scan a Word document for stuff that's not needed. Treat all dot docs that have VB in them as executables and block them out. You might go so far as to attempt intelligent analysis of the document to make sure it consists only of code that would reasonably be generated by a human being. Perform sanity checks on certain variables and so on.

hacker != criminal

[tomstdenis]

-1 for subby for using the word "hacker" to describe the criminal(s) responsible. You'd think the /. crowd would know better.

Tom

Puzzled ...

[jc42]

Why in the world would anyone with security concerns (and even the tiniest amount of sense ;-) allow the use of Word or any other proprietary, binary format, in email?

A fun example: A couple of years ago, a fellow hereabouts told the local linux/unix user group a funny story of how Word docs got banned at his workplace. It seems that a VP had written some missive, and decided that it was so important that everyone in the company would want to read it. So he mailed it out to everyone. It was a Word doc, and the people with unix-type workstations mostly couldn't read it, so they did the obvious thing. They fed it to the strings(1) command. The result of this isn't pretty, since it loses all the (binary) formatting and font markup, but the text was readable.

However, strings can't decode the binary stuff, and didn't know to honor the "deleted" tags on big chunks of the file. It seems that among the deleted stuff was a list of the salaries of most of the management. Ooops!

The unix users got a bit of a chuckle out of this, of course, and the news got back to the VP (and other managers) what he'd mailed out. After the inevitable finger pointing settled down, the message got through the mangers' thick skulls that Word docs can and usually do contain "deleted" stuff that hasn't actually been removed or blanked out, and any time they send someone a Word doc, they might be sending them pieces of any other Word doc that has ever been on their computer. And it's not just unix users who can read this "deleted" stuff; a clever programmer could fairly easily make it visible on Microsoft systems, too. You could just port the strings command to Windows.

So the word came down that Word docs were strictly forbidden in email. Especially email sent outside the company.

This problem is not exactly secret. Any organization that allows Word docs, or any other proprietary binary format, in emails is inviting exactly this same sort of problem. Even if you don't understand it or believe it, chances are that some of your competitors do.

It's especially astonishing that the US State Department would allow Word docs to be emailed. Don't they have any competent security people at all?

(Or maybe they do, but they are intentionally ignoring the advice of such people. That does seem to be how the US government works these days. ;-)