Word Vulnerability Compromised US State Dept.

hf256 writes "Apparently hackers using an undisclosed (at the time) vulnerability compromised the State Departments network using a Word document sent as an email attachment. Investigators found multiple instances of infection, informed Microsoft, then had to sever internet connectivity to avoid leaking too much data!"

Great news for open formats

[Beuno]

Well this should push everything towards open document formats a bit more, so it might just be a good thing...

Re:Great news for open formats

[drago177]

It would be so easy to just install StarOffice on each computer (keep Word), and ask the more technical departments to start using it, if only to save docs in Word format at first. I did this with the last company I worked at, nobody ever even complained. The cost was very minimal, and it actually saved a lot of money and time when an excel file corrupted itself. MS could not open it, but SO opened then re-saved it in MS format, then it worked fine.

Re:Great news for open formats

[drago177]

I heard the install was faster/easier, and it was. You're right about the support - never tried it, but I did want to contribute to the open source concept, and $ rules the world. I knew those above me wouldn't notice an extra $20 on each pc, but they were scared of 'non-professional software', so to be able to tell them there was support was a necessary safeguard.

Oh, btw, they were using that excel sheet to keep track of a fleet of buses (this co was archaic in their IT dept when I got there). A radio dispatcher was frantically telling the bus drivers there was a computer problem and to 'hold tight' for 15 minutes till I got there, then 5-10 more minutes to figure out MS file recovery wouldnt cut it, and 5 to install SO from network and fix the prob. The only serious occasion that pitted MS vs SO and the results were stark. So no Im not on Sun's payroll, but the story ought to be a commercial, and I walked out like a hero so I'm happy to tell it.

Re:Great news for open formats

[boer]

> With open software, you can look at the source code and see exactly what it does

I though even the OS community had realised by now how ridiculous this argument is. World economy would in effect come to a halt if every company and public office started to scan source codes for potential vulnerabilities. This is hardly a selling argument and being a wise-ass about it has never helped the OS movement.

Having a goal of zero vulnerabilities is such complex software as an office suite is strikes as feasible only to an ideologist nerd. In practise there will always be vulnerabilities as long as human beings will be responsible for the design and programming. And having gazillions of eyes searching through the source code presumably on the company dollar is not effective way to remove those faults.

Re:Great news for open formats

[mattpalmer1086]

Parent is making a valid point, and is not a troll, whoever modded them that way. The 'more eyes' argument doesn't really work for me either. I use open source software all the time, and I rarely have a look at the source code, and even less frequently take the trouble to understand even a small part of it.

What does work for me with open source is that the nature of open, distributed development tends to promote code modularity, which helps keep those defect counts down. And the fact that code is publicly available exerts an influence on developers to publish code they aren't be ashamed of (unlike what happens in proprietary software development with tight deadlines set by the sales team making unrealistic promises to clients - I have been there).

However, there is a real distinction between defect-free software (probably does not exist) and software that intentionally includes back-doors. With open-source, you can have more confidence that there is no back door, spy-ware, or anything else that shouldn't be part of the application. But it certainly doesn't mean the software will be defect free.

Hmmm...hackers

[Spookticus]

It seems those hackers missed the Philippines and accidentally hit the state department instead

Scary

[nicolas.kassis]

The fact that a simple Word document can cause such a big problem is really sad. How can you tell a few thousand of people not to open word document attachment? I mean, where I work, users receive tons of documents (pdf, office, autocad) files by email from vendors and such, I guess the only defense is good email filtering but still a 0-day attack would make that useless.

Re:Scary

[mrbluze]

The fact that a simple Word document can cause such a big problem is really sad. How can you tell a few thousand of people not to open word document attachment?

Of course this is a popular article because it's more evidence of how Microsoft's 'professional' products are so amateurish, but you're right, you can't tell thousands of people not to open an attachment.

The root of the problem doesn't lie in Word documents, or Word for Windows. The problem lies in Windows, period. The operating system is practically incapable of separating important and sensitive data from junk-mail and untrusted documents from the outside. In such a place as the State Department, it's scandalous.

Whilst hypothetically, Linux is also vulnerable (eg: through some flaw in Open Office), a properly configured system could protect itself without needing to rely on the end user to manually screen every bit of junk they come across. Sure there would potentially have been some corruption of data, maybe some low level leakage, but really, this all points to a hopelessly overcomplicated and poorly designed OS. Naughty Bill!

Re:Scary

[Sancho]

Runing ./configure or make or make install could cause just as large a problem. Do you read through those scripts before running them?

Furthermore, buffer overflows could exist in just about any program. There could be one in emacs right now, triggered by reading a file into the buffer. Then it would be "scary.. The fact that a simple text file can cause such a big problem is really sad."

Unfortunately, they didn't disclose the nature of the vulnerability. "hidden software commands" in the mass media could be anything from shellcode to an executable embedded in the document, to a macro. Since Microsoft patched it, it was probably either something that autoran or an overflow.

Re:Scary

[ozmanjusri]

If our helpdesk can't solve the issue within 15 minutes the PC is re-imaged no questions asked no data saved.

Christ on a stick! That's a bloody good reason to hide EVERY problem from the IT Nazis.

Does anyone ever get any work done?

Re:Scary

[jkrise]

Runing ./configure or make or make install could cause just as large a problem. Do you read through those scripts before running them?

Furthermore, buffer overflows could exist in just about any program. There could be one in emacs right now, triggered by reading a file into the buffer. Then it would be "scary.. The fact that a simple text file can cause such a big problem is really sad."

Nice attempt to evade the issue by raking up redundant matters. The crux of the problem here is that MS Word needs or provides Internet access for some of it's functions. Even if it had any buffer overflows, the problem would not be exploitable from remote systems.

The fact that Word is designed to occasionally talk over the internet coupled with it's hooks into the OS via things like VBA etc. is the problem. In fact, the main problem here is not Word or Office, it is the Windows architecture that is vulnerable.

Re:Scary

[Architect_sasyr]

Actually its a very effective method for both the IT team and the people who desperately need the administrative access. IT aren't required to understand every little john doe program that these people can want to install so they don't have to support them (this is very clearly communicated to these users).

It also means that we have a relativly standardised form across the board despite having PC's everywhere and very quickly weed out the users who think they're smart but aren't really.

An example of a good operator: there's a bloke over in administration who I would swear used to work in IT. He's got Open Office installed when everyone else uses Microsoft Office, he uses firefox, thunderbird and trillian for his messenger. About 500 theme packs and a few other bits of software. According to our helpdesk logging system he has only ever called once, and this was when he patched himself for the new daylight savings time last year. Everyone else had the problem as well.

Also, so that those who aren't aware know, you don't have to be a local administrator to install a network printer. Anyone hooking a printer directly to a PC in a corporate environment is either a director or an IT who has lots to learn.

Re:Scary

[ArsenneLupin]

The crux of the problem here is that MS Word needs or provides Internet access for some of it's functions. Even if it had any buffer overflows, the problem would not be exploitable from remote systems. Although Word does probably provide Internet access to its macros and other nasties, this was not a necessary condition for this to work. Even if MS Word didn't have any code within to connect to the internet, any supposed exploit would have been able to supply its own. And from the looks of it, this is what happen here. Apparently, this was some kind of call-back program that would somehow tunnel out through the firewall, connect to the hacker's control console and accept instructions from there.

Such a thing is rather complex, and probably not pre-existing within word. It was brought in by the trojan itself.

Re:Scary

[John+Betonschaar]

Actually its a very effective method for both the IT team and the people who desperately need the administrative access. IT aren't required to understand every little john doe program that these people can want to install so they don't have to support them (this is very clearly communicated to these users).

[..]

An example of a good operator: there's a bloke over in administration who I would swear used to work in IT. He's got Open Office installed when everyone else uses Microsoft Office, he uses firefox, thunderbird and trillian for his messenger. About 500 theme packs and a few other bits of software. According to our helpdesk logging system he has only ever called once, and this was when he patched himself for the new daylight savings time last year. Everyone else had the problem as well.

I'd say that's a pretty stupid way to 'administer' your workstations... Why can these people even install all this shit themselves? How can some bloke in administration 'patch his machine' himself? And how does making them not call support because they know they won't fix your problem help with the maintenance of your network. The only thing I can see something like that heading to is an IT support department that only answers the utterly stupid requests and hardware failures. Employees just don't bother to call them because they don't want there machine re-imaged, so they just start fooling around themselves, or ask some guy like the 'bloke from administration' to 'fix' their system. Eventually that can only and in a maintenance and security nightmare.

(Insert Troll Here)

[WhiteWolf666]

Queue the legion of Microsoft apologists, saying things like:
a) It's only because MS Office has the largest market share, this could of happened to any office suite!
b) It's not a big deal, obviously the state department's IT department is incompetent.
c) Damn Hackers, always trying to ruin a good thing!
d) Macs run on Intel processors now, so they're vulnerable too!
e) This is probably because the NSA sponsors SELinux.
f) In Soviet Russia, MS Office hacks YOU!

Did I miss any?

Re:(Insert Troll Here)

[Beefchief]

g) Cue the Grammar Nazi that points out the difference between "cue" and "queue" :)

It proves a set of closed vs open source arguments

[postbigbang]

1) the attack, once found, would have a bevy of coders working on it (we hope, of course)

2) the testing and regression doesn't have the dependency matrix that Word does, and it's likely that if there was a link, it could be both understood and remedied quickly thru an open code supply chain

3) multiple hackers (oops, I mean coders) would likely offer variances of a patch, of which perhaps several would/could be part of the subsequent 'patched' tree

4) eight weeks is a travesty, and that the State Department of the United States of America didn't have an IDF that could detect the abberant traffic is just plain malfeasant. Heads should roll.

Only fooling themselves

[drago177]

At first, the hackers did not immediately appear to try stealing any U.S. government data. Authorities quietly monitored the hackers' activity, then tripwires severed Internet connections

If you find evidence of a break-in, its possible the attackers are also connecting in a way you haven't yet detected. Hope they know what they're doing. Given their reputation, I doubt it.

Re:Quick

[Sancho]

What magical office software do you use that is apparently 100% bug free?

Re:Quick

[grcumb]

What magical office software do you use that is apparently 100% bug free?

Emacs

*ducks and runs*

Microsoft is Like Internet of Old

[tymbow]

I had an interesting discussion the other day with some colleagues and we came to a consensus that many Microsoft products were and still are, or at least inherit, a design philosophy similar to that of the Internet when it was first created. The Internet was built on a basis of implied trust and as we have seen in present times, particularly with e-mail and the SMTP protocol, this model of design is a poor foundation. To counter these issues we need to design more and cleverer countermeasures in an escalating war with miscreants; a parallel we also see in Microsoft products with never ending cycle of Anti-Virus and Anti-Spyware updates and patches required to deal with both programming flaws are poor design choices that assumed trust (recall the ILOVEYOU debacle). The real kicker is that you could argue that many of the problems we now face on the Internet are largely due to poor design in Microsoft software which as I noted parallels an original design methodology of the Internet. We've had several articles earlier in the week pushing a view that the Internet needed to be re-architected due to its flawed security design (although I think it's more about commerce and control but I won't go there for now) - is it not also time to re-architect Microsoft and their approach to developing products? Would we even have these problems if not for Microsoft? My two cents.

Re:OS and Apps must be seperate!

[goofballs]

That's where "sane" operating systems differ. User space and the OS are heavily separated, in fact, user space for each user is separated from other users, and almost all services run as a unique user. This intentional separation provides very robust security, and is absolutely necessary to creating a secure system. I cannot blame anyone but MS for this... and not the MS Word or Office team. If the OS were properly designed so that user space applications were properly separated, issues such as this would not exist. this has nothing to do with separation of the user space- the app is run as a unique user, and the information stolen is that available to that user. there is no suggestion that privilege escalation occured in this attack.

Must suck to be Lenovo...

[cunina]

...knowing that your products were banned from the State Department for some theoretical and highly unlikely exploit, while Microsoft Word continues to be used there despite a documented (no pun intended) security breach attributed to it.

Well in my office

[th3rmite]

Most people who are not familiar with IT in the US Government have NO IDEA how dependent even the military is on MS products. Think MS based virii, worms and exploits aren't on classified networks? Networks that don't even share a common hardware link to the internet...