Slashdot Mirror
Microsoft Word Zero-Day Used In Targeted Attacks
wiredmikey (1824622) writes "Microsoft warned on Monday of a remote code execution vulnerability (CVE-2014-1761) in Microsoft Word 2010 that is being actively exploited in targeted attacks. If successfully exploited, an attacker could gain the same user rights as the current user, Microsoft said, noting that users whose accounts are configured to have fewer user rights on the system could be less impacted than accounts with administrative privileges. 'The vulnerability could allow remote code execution if a user opens a specially crafted RTF file using an affected version of Microsoft Word, or previews or opens a specially crafted RTF email message in Microsoft Outlook while using Microsoft Word as the email viewer,' Microsoft explained Microsoft did not share any details on the attacks that leveraged the vulnerability, but did credit Drew Hintz, Shane Huntley, and Matty Pellegrino of the Google Security Team for reporting it to Microsoft."
Last time I looked RTF (decade or so ago) was a pretty bare-bones least-common-denominator document markup specification.
Someone had to do it.
RTF?!
Wasn't RTF supposed to be minimalistic and simple?
RTF is. Word isn't.
Word is bloated, cumbersome and buggy.
A simple protocol, no need for system access.
...
Oh well, MS seems to have found a way to screw that up.
Maybe Bill should pay to fix it
There are so many of them to choose from
No? Okay, later.
How many years, decades even, has microsoft had the time to understand and get these issues fixed ?
They simply DONT CARE. They retain features like this for their own convenience instead of spending some of those profits on solving the problems these 'easy and vulnerable' solutions of theirs are for.
Thses problems have been identified again and again and whatever bandaids microsoft has done was not a systematic elimination.
Shoddy work with a monopoly is a bad situation and Bill Gates who set the pattern for this company can drink molten gold in hell for the pain he's caused so many people KNOWINGLY.
Did you know that there is a zero-day emacs flaw which allows an attacker to run arbitrary Lisp code??? Scary, I know, much less vim. If Emacs is to overtake Windows, this type of careless programming has to stop.
Society use your Sciences
Privilege escalation is always worse than 'execute with same privileges as user'; but for primarily-end-user software the distinction seems a great deal less helpful (unlike, say, on the server, where attacks isolated to one service account or daemon are legitimately less dangerous). Joe User's security context has access to more or less his entire life in documents and ill-secured website passwords, and enough permission to plant something that will start when he next logs in in a zillion different places that he isn't likely to notice(details will vary by OS; but the only real exception would be the control-freakier mobile ones). So Joe User is screwed at either privilege level, and, from the perspective of fixing the system, conclusively proving that only user-level access was gained and the system is still secure (much less attempting to fix it if it isn't) is so much more time consuming than just nuking it and applying a fresh image that you'd only try in order to get samples of the attacker, not because it's worth the trouble on its own.
I'm pretty sure nobody would notice or care.
The one trick (comparatively rare; but it happens at times) is that if you take an RTF document and give it a .doc suffix, Word will interact with it happily enough and I think even save it in the RTF format if you modify-and-save.
This means that if you block by suffix, a remotely clueful attacker will just fix their suffix and carry on; but if you block by format a small and fairly unpredictable subset of '.doc' files will be weeded out for reasons users will be unlikely to grasp.
This would hardly make it the most painful thing routinely inflicted on users in the name of security; but it isn't a plus.
Plus OLE support. Quite a powerful capability; but one of those powerful capabilities best handled carefully, kept away from direct sunlight, protected from shocks, and otherwise treated as though it is just waiting to ruin your day.
You have been able to embed OLE objects since 1992.
Help stamp out iliturcy.
You mean you can decrypt the encrypted files without the decryption key?
MS Word has been insecure since MicroShaft decided to add VBA and tie Word into the OS. Nothing but virus attacks and worms.
Why the hell do so many people continue using shit products so damned likely to infect their system?
> "Most security professionals consider Microsoft the bar every other vendor should strive to meet."
Computerworld said it, so it must be true.
http://www.computerworld.com/s/article/9246837/Perspective_Microsoft_risks_security_reputation_ruin_by_retiring_XP?pageNumber=2
Word !!
Word, bro! You certainly deliver a powerful point there. It seems that you excel in life. If I only could make one note, it would be that I see a great outlook for your future.
Is that Google is the one exposin the flaws in Microsoft office. I've recently ditched all things Microsoft. Went over to the dark side, Ubuntu. Why not? It has all the applications and functionality I had on my ancient XP laptop plus a whole lot more. Plus it comes bundled with Firefox and Thunderbird which I was using on my XP box to begin with. All I had to do was copy over my documents, music and profiles for both and I got everything back. And Libre office has come a very long way. Plus I have my NNTP reader, my astronomy program, it's all pretty sweet.
I know you are just trolling, but in case anyone considers that you might sound like you know what you're taking about...
Or you could just use a god damned system that isn't riddled with malware the way everything M$ is.
No, actually "you" can't. Our ERP system that runs the company cost around 2.5 million all said and done, and it only runs on Windows.
For our industry, there are only three (3!) such ERP packages in existance, ALL of which require windows to run (Except Oracles product, which can use windows and/or work poorly in non-IE browsers, but better than nothing if you can afford them)
Do YOU plan on cutting me a check to have this non-existant software created and paid for?
No? Hello? I hear crickets from you now.
Every solution you suggest would literally be no different than tossing out every computer and going back to pen and paper. You might as well suggest that a raw pork chop is a far superior weapon to a gun when the stated goal is to kill someone - obviously stupid and incorrect.
There is no longer any reason you could not roll out Linux or BSD workstations administered by someone clueful with nice pretty graphic UIs and installations of LibreOffice. Your users will thank you for systems that Just Work without silly malware paranoia.
Except for that little fact that there is no software to use. Yea, I kinda think our users will notice that tasks previously taking 60 seconds now take 4-8 hours to complete.
Your stockholders/partners/managers/owners will thank you for having some security and not letting dipshits use malware to steal customer information or God knows what other data.
Considering that advice would make the stock holders lose billions and no longer have a business, thanking me would not be on their list of methods to extract revenge and pain out of me.
As a troll I realize you only have the goals of causing pain and misery in others lives, but most of us actually don't enjoy seeing that.
Microsoft will feel rejected and their fanbois will cry about problems LibreOffice solved years ago back before it was forked from OpenOffice, pretending they are still relevant. But they will get over it.
I hate Microsoft garbage as much as the next person, most likely more since I actually use the crap and you clearly admit you don't and thus have no experience about the claims you also made.
The fact of the matter is that no matter how poorly microsoft software works, that poor solution is surrounded on all sides by non-solutions that don't even function. There is nothing better.
But if you truly believe your other solutions will work as drop-in replacements, will earn companies so much more money, and get you placed on a kingly pedestal showered in thanks - just put your money where your mouth is.
Once you pay all the change costs, and take on the risk your suggestions will incur, I will jump at the chance to rid ourselves of microsoft faster than you could sing trololol.
I'm just waiting on that check still...
Yep, let's believe the the AC who can crack RSA 1024 bit triple DES in 10 minutes using a debugger... But in all seriousness here's a neat blog post breaking down what the malware actually does using a couple debuggers including ollydbg before it gets to the encryption part.
Forgot the link.
http://www.antimalwarelab.com/...
I don't remember the DOS version being particularly insecure.
You send actual Word documents outside your control? Thanks asking for trouble. Send a PDF.
It isn't the absolute best fix, but MS's EMET (Enhanced Mitigation Experience Toolkit), does stop any attacks via this route. I'm sure EMET probably breaks some apps (easily fixed by adding exceptions, and probably why this tool isn't included in the base OS), but it is worth installing and using.
LOL. Get ye back under your bridge.
MS Word has been insecure since MicroShaft decided to add VBA and tie Word into the OS. Nothing but virus attacks and worms.
Why the hell do so many people continue using shit products so damned likely to infect their system?
File -> Options -> Trust Center ... First thing any sane person should do after installing word is turn off all macros and activex/vba without notification.
And who in the world thinks that Word is usable as an email viewer? It's such a dreadful experience that I'm surprised that MS still offers that option in Outlook.
"Think about how stupid the average person is. Now, realise that half of them are dumber than that." - George Carlin
That sounds like an apt description of a computer in general. Or dynamite. Or banks. Or the government. Or beer.
The road to tyranny has always been paved with claims of necessity.
Customer wants, company gives. Doesn't matter what the risk is, short term its money in the bank. Most companies work this way. Some care more and prevent sale of a product until it's fit. Others release the product knowing it's go major flaws and leans on the ability to push firmware updates.
Offers? That's the default behaviour in Outlook through Office 2013.
...will it run in Wine?
Office: for when you have Real Work. You know, like managing money, or social security numbers. Medical records. Industrial controls.
Help stamp out iliturcy.
But only if you have the power to point to it, I can give you access if you want.
When you sympathize with stupidity, you start thinking like an idiot.
Thank you, Dissy. My last job (and probably my next) was in a Windows environment, our ERP-that-is-not-to-be-named abused SQL Server to the point that if you unplugged the server while it was doing a payroll process, you had to load a backup from before the start: the ERP-system-never-sufficiently-cursed did not use SQL Server's transaction log, all record updates were line-by-line using cursors through an application server so that their one pustulent code base would work poorly against SQL Server, Oracle, and something else like PostgreSQL.
They could have written such a better system if they'd let me train their programmers in relational database and modern techniques, instead they forced them out in to retirement.
Too many people think the solution is to drop in *nix, not taking in to account business cases. And we the damned are forced to make it all work.
When you sympathize with stupidity, you start thinking like an idiot.