Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 


Forgot your password?
Close
typodupeerror
×

MS Word Zero-Day Exploit Found 396

Posted by Zonk from the don't-do-any-work-today dept.
subbers writes "A zero-day flaw in Microsoft Word program is being used in an active exploit by sophisticated hackers in China and Taiwan, according to warnings from anti-virus researchers. The exploit arrives as an ordinary Microsoft Word document attachment to an e-mail and drops a backdoor with rootkit features when the document is opened and the previously unknown vulnerability is triggered. From the article: 'The e-mail was written to look like an internal e-mail, including signature. It was addressed by name to the intended victim and not detected by the anti-virus software.'"
This discussion has been archived. No new comments can be posted.

MS Word Zero-Day Exploit Found More

MS Word Zero-Day Exploit Found

Comments Filter:

  • At least it's not open source (Score:5, Funny)

    by Anonymous Coward on Friday May 19, 2006 @02:39PM (#15367606)
    You know how unreliable OSS is after all...

  • Not overly bad, combined with some others bad. (Score:5, Insightful)

    by Novanix ( 656269 ) * on Friday May 19, 2006 @02:39PM (#15367609) Homepage
    This type of spam isn't too bad given traditional spam methods, as smarter users won't open attachments from people they don't know. The dumb ones generally dont know a word doc from an EXE so hopefully they are also avoiding most attachments. However there have been a few articles [arstechnica.com] on the future of spam and local data mining. Consider what would happen if the next virus your co-worker got looked through their emails, found the last word document they sent out, and then copied that but embedded this exploit. They might even say, its been revised please have another look. The chances you wouldn't open this are extremely low, and especially when you are opening a normally okay attachment. It is coming from someone you know, from their computer, through their isp, and even is styled the same way as normal. The question is how will we attempt to combat such things? It doesn't just have to do with holes in microsoft office, or any other format too. When local data mining is combined with exploits in any other common formats (give the image exploits of other os's even) you now have a delivery method that can almost promise execution.

    • Re:Not overly bad, combined with some others bad. (Score:5, Informative)

      by Jimmy King ( 828214 ) on Friday May 19, 2006 @02:45PM (#15367661) Homepage Journal
      You haven't done any computer support for non-technical people in a long time, have you? It's only been a couple years since I broke free from the shackles of technical support, so believe me when I say way too many people will open this without thinking twice.
    • Disable attachments. It's was a dumb idea in the first place - it presents opportunities for malicious behavior, harbours company secret dissemination and promotes unnecessary clutter. Refer to a url pointing at a share within the company instead.

      All internal corporate attachments should be banned. That's how you deal with it.
      • Forgot one thing. This is what we need IPv6 for. If everyone in the country had a distinct permanent IP for each machine, they could share their resume or other docs from their own machine, provide permission to a company to access it, then send an email with no attachment, just the url to their share.

      • Re:Not overly bad, combined with some others bad. (Score:4, Insightful)

        by Anonymous Coward on Friday May 19, 2006 @03:00PM (#15367790)
        Are You Serious?!?!

        So your saying in the age of the modern broadband; in the age of rich deliverable content; you are saying we should send text only? That's great. It's got nothing to do with fundamental inherent security issues in Microsoft's software made in poor architecture judgements, as well intended as they were.

        It's the fault of a fundamental concept in email delivery, which non microsoft users use without fear.

        hmmm.... don't think so. not at all.

        • Yes, I am serious.

          Your suggestion that an attachment represents "rich deliverable content" is laughable.

          Yes, I am saying email should be text only. It is already, whether you acknowledge it or not. You see, your "attachment" was bit shifted into text characters so it could be packaged in an email without getting munged. SMTP was intended for text and truncates bits based on that assumption. It's a bastardized, encoded cyst. A real document has a lifespan, an author, a source, and various other metadata that
          • So, instead of attaching files to e-mails we should:
            • All run webservers and have e-mail programs that know how to publish to them and all of the cool new security issues that'll bring with it.
            • Or, we should all rent access on a webserver somewhere and either know how to publish documents on it, or have our e-mail program do that.
            • Or, we could all have publically accessible Windows Shares where the URL://fredsbox/myshare will somehow magically work everywhere.

            New Microsoft Outlook 2007, The Safe Way
            No more of that nasty bold text (or any other formatting for that matter) ruining your otherwise clean message.
            Enjoy getting humorous images mailed to you? Not any more!!!
            Viruses, no way, not in a text only package! (Unless the sender figures out something we didn't check, like, a buffer overflow if you make a line of text 4097 characters with no breaks.)
            E-cards are so 2006, NOW ASCII-cards!!!

        • what he's saying. email is a text medium, like it or not.

          It a medium of communications, and text is the only content which can be assumed to be usable by any recipient. Sending anything other than plain old text, unless there is prior agreement between both sender and receiver, is a hinderance to communications.

          http://www.efn.no/html-bad.html [www.efn.no]

          • Is e-mail an _english_ medium?

            If you can't assume rich text, why assume _english_?

            Better yet, why not send a rich e-mail (especially from a variety of applications, or in a commercial sense) that contains multiple encodings, and select the correct language based upon the recipient's lingustic settings.

            No reason that iPhoto 2010 "form e-mails" containing images shouldn't contain the image metadata and a, "Hi! So and so send you these " in whatever language the client chooses.

            Restricting e-mail to plaintext
        • I fail to see where carefully and intelligently worded text can ever be over-valued than some shiny graphics bullshit done in powerpoint. If you're good enough to make your statement short, simple, to the point, and informative at the same time, you shouldn't have a problem in giving out your idea to stockholders and etc. This "We need media-rich content!" bullshit is old, decrepit, and useless. If you can't get it across with plain words, and the people involved are not smart enough to understand plain wor

        • Re:Not overly bad, combined with some others bad. (Score:2, Insightful)

          by Anonymous Coward
          Of course he's serious. In this age of modern broadband, would you set up an FTP server that allowed anonymous uploads? Allow just anyone to upload anything they wanted to your computer, with no controls what-so-ever?

          I would hope not. Yet you're suggesting that we do the same thing with email. Why should we allow anyone who wants to send us anything they want? I don't want to be emailed harmful programs, yet I am anyway. Some of them are wrapped in ".SCR" or ".PIF" or, in this case, ".DOC" files, but

      • Good lord (Score:4, Insightful)

        by Darkman, Walkin Dude ( 707389 ) on Friday May 19, 2006 @03:08PM (#15367864) Homepage

        Refer to a url pointing at a share within the company instead.

        Have you never heard of phishing?

        • Re:Good lord (Score:3, Insightful)

          by 955301 ( 209856 )

          At least with phishers they have to burn an IP address of a node on their zombie cluster to present the mock web page.
      • Hmmm. Probably not gonna happen. Lotus Notes anyone?
      • So then they make one that scans local and mapped drives and infects ALL word documents it finds. Then a single person getting this would very quickly infect the entire company.

        So other than inducing more user errors by adding more steps to people's tasks, what has your method accomplished?
      • I think you underestimate the use of attachments in a corporate setting, and the amount of user resistance to such a scheme that would require uploading in addition to sending a link. In fact, such a scheme would probably just result in a proliferation of "one button upload" tools that would upload a file to a server and link it in the outgoing document simultaneously, which could then be used by virus writers to spread their payloads. In short, you'd have maybe given then a 6 month hiccup while the tools g
      • Wow, such a bright idea. Ban something useful because of a few instances of malicious use.

        Blind and pointless cries like, "Stop all attachments!" mean nothing because it's never going to come to pass.

        If your systems are being compromised in any way, it's the job of sysadmins and techs to ensure that potential holes are taken care of.

        Banning something and affecting productivity is not the answer.

        Goodluck trying, though. In most corporations, everything is done via email, and for folks that have WFH scenarios

  • When do we see a patch? (Score:4, Insightful)

    by xot ( 663131 ) <fragiledeath&gmail,com> on Friday May 19, 2006 @02:39PM (#15367610) Journal
    Is there already a race on for releasing a patch? Can the anti virus companies detect it?
    I guess it will be a mess if they dont start detecting it soon.Of course MS will be flamed again.
    • Patch available: http://www.openoffice.org/ [openoffice.org]

      • Re:Patch available (Score:2, Insightful)

        by dj42 ( 765300 )
        Patch available: http://www.openoffice.org/ [openoffice.org]


        Why did that get modded insightful?

        If anything, it's barely "informative".

        In the corporate world, using Open Office is like driving an electric scooter. Sure, some people think it's cool because it's not a gas-sucking-Hummer, but it's a piece of shit scooter.

        Is there perfect compatibility between business users with Word. and OO? Absolutely not. It's totally unacceptable for corporate use with other folks that use MS Word regularly. Same with Exce

        • Why did that get modded insightful?

          If anything, it's barely "informative".

          hook, line , and sinker....and rod, and fisherman.

        • Re:Patch available (Score:3, Informative)

          by mspohr ( 589790 )
          I've been using OO.org for the past year in a highly collaborative environment where I constantly share docs, spreadsheets, powerpoint with a large number of people using different versions of MS Office.

          Compatibility is just not a problem. In fact, I have better luck using files from all versions of MS Office than those using MS Office. (MS Office compability across versions is poor.)

          • Re:Patch available (Score:3, Interesting)

            by xtracto ( 837672 )
            I have yet to count the number of times I read this comments, and better yet, they always come after someone critisize the real lack of compatibility between OO.org and MS Office.

            And moreover, how many Karma points does this comment gets each time, FOR THE LOVE OF GOD MODS THIS IS UTTERLY REDUNDANT!

            I agree that MS Office may not be good, in fact it is a P.O.Shit, and O.O.org is nice, (though a bit slow and big) and also free, but IT IS COMPLETELY AND PURE BULLSHIT to state that it is compatible with the oth
    • They deserve the flames. When MS started linking everthing into the OS, they claimed it was to make things easier and that's what people wanted; they actually were trying to hold dominance over all things PC.

      No, I am not the least bit surprised or shocked. Yes, I know how things work.
      I won't have pity for MS or anyone else who sees their position as more important than people.

      In fact, my pity meter is running on empty.
    • Must be another slow news day. I mean, Microsoft exploits are as regular as I am after eating Mexican food.
    • Since this is Microsoft, you will see a patch extremely quickly in accordance with their new update schedule intended to make network administrators' lives easier - the second tuesday of the month following completion of the defect. Of course, since this defect is not critical and is overblown (Obviously if this were a bug in an Open Source product, not only would it infect your machine but it would devour your first-born baby, burn down your house, and empty your bank accounts all simultaneously) develope

  • is Microsoft this fragile? (Score:5, Insightful)

    by yagu ( 721525 ) * <yayagu@[ ]il.com ['gma' in gap]> on Friday May 19, 2006 @02:39PM (#15367612) Journal

    A recent slashdot story asked the question, "Is the internet that fragile?" When I see stories like this, it reminds me and should remind everyone of the other fragile technology(ies), Microsoft and their baggage.

    Consider that many on-line applications for jobs require cover letters and resumes as WORD attachments. Now, consider the temporary suggested workaround:

    As a temporary mitigation method, Symantec is recommending that Microsoft Word document e-mail attachments be blocked at the network perimeter. "Furthermore, extreme caution should be exercised while processing Microsoft Word attachments received as an unexpected e-mail Attachment," company officials said.

    This is disruptive and lose-lose, either organizations heed the advice, and now for as long as it takes to fix Microsoft's problem applicants will have their documents blocked, or some of these hackers profuse their new hack and compromise organization's infrastructure.

    Microsoft has made our bed, and now we all must sleep in it (ick). It's unacceptable that such an exploit could so easily take control and wreak damage. Why can a simple e-mail get in and twiddle with what should be administration-priveleged system resources? I know the recommendation is everyone accessing their XP as non-administration users, but how do you enforce that, especially when for so long so many of the out-of-the-box configurations make administration rights the default login?

    I must say I admire Microsoft's savvy more each day in their EULA -- crafted to absolve Microsoft of any responsibility for bad things happening to users because of Microsoft's software. It must be reassuring to offer a product and not have to assume responsibility. What a unique privelege

    Of course, a good outcome from this would be to reconsider the global transport of exchanging documentation (e.g., resumes and cover letters, etc.) to something a little less Micrsoft, a little more open, and a little less prone to exploits. That can't happen soon enough.

    • Re:is Microsoft this fragile? (Score:4, Insightful)

      by Politburo ( 640618 ) on Friday May 19, 2006 @02:49PM (#15367692)
      I must say I admire Microsoft's savvy more each day in their EULA -- crafted to absolve Microsoft of any responsibility for bad things happening to users because of Microsoft's software. It must be reassuring to offer a product and not have to assume responsibility. What a unique privelege

      You act like MS is the only company that does this. Nothing could be further from the truth.

    • a better workaround (Score:4, Insightful)

      by frankie ( 91710 ) on Friday May 19, 2006 @02:51PM (#15367700) Journal
      The exploit only works properly in Office 2003 (and crashes Office 2000). Given that emailed DOC files are pretty much required for millions of people to do their jobs, the most effective short-term workaround is use something else to read DOC files [openoffice.org].

    • Re:is Microsoft this fragile? (Score:4, Insightful)

      by d_jedi ( 773213 ) on Friday May 19, 2006 @03:08PM (#15367870)
      I must say I admire Microsoft's savvy more each day in their EULA -- crafted to absolve Microsoft of any responsibility for bad things happening to users because of Microsoft's software. It must be reassuring to offer a product and not have to assume responsibility. What a unique privelege
      "Unique privelege (sic)"? Not quite.. just about every software company absolves itself of legal responsibility in this way.. why, even the GPL does it.

    • This is disruptive and lose-lose, either organizations heed the advice, and now for as long as it takes to fix Microsoft's problem applicants will have their documents blocked, or some of these hackers profuse their new hack and compromise organization's infrastructure.

      The open source and closed source communities have already provided me with a better work-around for this attack vector, one which Microsoft motivated me to start employing long ago. MS Word costs money. MS Word is rather slow to open and

    • Consider that many on-line applications for jobs require cover letters and resumes as WORD attachments. Now, consider the temporary suggested workaround:

      As a temporary mitigation method, Symantec is recommending that Microsoft Word document e-mail attachments be blocked at the network perimeter. "Furthermore, extreme caution should be exercised while processing Microsoft Word attachments received as an unexpected e-mail Attachment," company officials said.

      This is disruptive and lose-lose, either or

    • Microsoft has made our bed, and now we all must sleep in it (ick).


      You can keep the bed lice to yourself. I normally use OpenOffice.org and on occasion I'll sometimes fire up koffice. Not "all" of us must sleep on that crusty, dirty old Microsoft mattress.

  • Not funny (Score:2, Insightful)

    by Beuno ( 740018 )
    How many EXTREMLY critical flaws is it already Word documents have?
    How is it possible these things still keep coming up.
    It's not even funny anymore...

  • In related news (Score:5, Funny)

    by Siberwulf ( 921893 ) on Friday May 19, 2006 @02:42PM (#15367636)
    Sony announces it will be sending an apology note to users who were infected by their rootkit DRM. The apology will be in .doc format.
    • Contained within that document will be the information to conduct a wire transfer of $10,000usd for each machine infected by the rootkit. In order to receive the compensation for the inconvenienced suffered, all you need to do is complete the form contained within. Require fields include name, DOB, SS#, and your primary checking routing and account numbers and the info will be automatically submitted for payment. A nominal fee for handling transfer costs will be deducted from your checking account. Don't wo
    • Holy bad timing batman...

      Well the virus was probably written by a team of non-commercial developers. So MSFT is right. Only dangerous things come from those non-money grubbing hippies.

      Tom
      • Well the virus was probably written by a team of non-commercial developers. So MSFT is right. Only dangerous things come from those non-money grubbing hippies.

        Thats a funny statement until you see.... From the article: The e-mail was written to look like an internal e-mail, including signature.

        Each email is signed: Sincerly, Steve Jobs

  • real damage? (Score:5, Funny)

    by gEvil (beta) ( 945888 ) on Friday May 19, 2006 @02:43PM (#15367644)
    Finnish anti-virus vendor F-Secure said a successful exploit allows the attacker to create, read, write, delete and search for files and directories; access and modify the Registry; manipulate services; start and kill processes; take screenshots; enumerate open windows; create its own application window; and lock, restart or shut down Windows.

    Yeah, but can they do any real damage? : p
    • This is one of the reasons I preach minimum privilege needed to get the job done. While it is cumbersome to live up to this under windows, in a corporate network is MUST be done.

      I only allow local admin with a demonstrated NEED.

      Yet I shake my head in amazement when wanna be admin lamerz perform their normal daily tasks (like read their email) logged in as a domain admin.

  • Question (Score:2, Interesting)

    by benjjj ( 949782 )
    Would someone with more knowledge than me explain the term "zero day"?

    • Re:Question (Score:5, Informative)

      by Fat Idiot ( 923144 ) on Friday May 19, 2006 @02:52PM (#15367711)
      Zero Day means that the vulnerability was previously unknown. Hence there are no days between dicovery of the vuln and dicovery of the exploit in the wild.

    • Re:Question (Score:3, Informative)

      by Politburo ( 640618 )
      To me, in this context, zero-day has no meaning. It's used in the warez community to reference a download that is available the day the software is released (i.e., zero days after the release). You would also have 1-day, (n)-day, and in rare cases (negative)-day warez.

      I can only guess that it means the worm uses a heretofore unknown exploit. Thus, this exploit is 'zero days' old.
    • short and sweet answer: an exploit that does not have have a patch available to correct the flaw.
    • Usually "Zero Day" means something that was available when the product was released now.

      "Zero day" warez means a warez copy is available the day the product releases (sometimes before).

      "Zero Day" venerabilities are usually ones which are detected before a virus is in the wild for them. (i.e. problem found before an exploit is available)

      In general it usually just means "Really new!"
       

    • Re:Question (Score:5, Informative)

      by MarkByers ( 770551 ) on Friday May 19, 2006 @02:54PM (#15367739) Homepage Journal
      Hmm the Wikipedia page doesn't really explain it very well: http://en.wikipedia.org/wiki/Zero_day [wikipedia.org] so let me try.

      It means that the exploit was discovered by crackers before any patch has been made available to the public. In other words there is nothing you can do except not open any .doc files unless you want to run the risk of being cracked.

      But of course, everyone knows that Word is full of holes because no-one has really attempted to use it as an attack vector yet since there are many easier ways [microsoft.com].
      • Hmm the Wikipedia page doesn't really explain it very well

        Just modify the Wiki page. Share the better explanation with the world instead of leaving it here.

    • Among other things, vulnerabilities are guaged by the number of days they have been out. 8-day, 7-day, etc. If an exploit ('sploit) has not been know before being used in the wild, it's referred to as a 0-day. That's Zero day, or "oh-day".

      http://en.wikipedia.org/wiki/Zero_day [wikipedia.org]

    • Re:Question (Score:5, Informative)

      by jschottm ( 317343 ) on Friday May 19, 2006 @03:06PM (#15367845)
      Would someone with more knowledge than me explain the term "zero day"?

      N (where N >=1) day exploits refer to the number of days after a vulnerability and/or patch is made available that it takes for exploits to occur. If Microsoft releases a patch on the 12th and an exploit is written on the 15th, that would be 4 day exploit. Some people would consider it to be a 3 day exploit, not counting the day of the announcement.

      Zero day refers to an exploit that uses a previously unknown vulnerability in software, or in some special cases, finds a way to turn a previously known flaw from something that wasn't considered bad enough to patch to a dangerous situation. Zero day exploits are dangerous in that there are no patches for them, although in some cases it can be prevented/mitigated by firewalls or Intrusion Prevention Systems. On the other hand, zero day exploits are often held closely by the people who discover them in order to gain the maximum advantage from it. For example, the exploit used on debian.org a few years ago was not disclosed in order to use it to penetrate several huge names in the open source community. Once a zero day exploit is made public knowledge, it will be focused on and patched.

      There is also an archaic use of the term from the old days of pirate BBSes - back when delivery of cracked software was slow, difference BBSes would have better priority on getting delivery of that software. The most important ones would get the software the day it was released by the cracking group and would be described as having 0 day warez. Broadband/P2P/etc. has made the use of this term out of date, although it's entirely possible that some people still use it in this context.

  • Ahh Microsoft (Score:4, Funny)

    by dannyelfman ( 717583 ) on Friday May 19, 2006 @02:45PM (#15367665)
    I would like to point out that as a pen tester, Microsoft product really *DO* make my job easier.

  • Just how much is 'exploited'? (Score:3, Insightful)

    by Dimensio ( 311070 ) <darkstar@LISPiglou.com minus language> on Friday May 19, 2006 @02:46PM (#15367666)
    Is this an exploit that somehow grants malicious code access privledges even beyond the user's access level, or does this simply allow execution of arbitrary code at the access level of the user who is running Word?

    If it is the former, then it's a very serious flaw. If it's the latter, then it's a serious flaw, but one that will only really adversely affect people stupid enough to run as Administrator all the time, despite Microsoft's own warning against such idiotic practices [microsoft.com].

    If it is the latter, then I have further justification to use against the users who have complained about using their Administrator privledges.
    • Former. Installs a rootkit; at least thats what the article says. The ISC summary indicates it drops some kind of bot on your system, which probably takes advantage of some local privlidge escalation.

    • Idiotic practice (Score:3, Interesting)

      by Anne Thwacks ( 531696 )
      I wish to own up as having performed idiotic practices (With and without the help of Windows).

      I have a PDA running WinCE, and I can only sync it with MS Active Sync if I am logged on as administrator. I really detest this. It would be so much better if each member of the family could sync their own PDA when logged in as themselves. However, Active Sync does not appear to support this. This machine has to be connected to the internet to update my WinCE apps. I suspect this makes Active Sync "goods not of m

    • I run mainly as LUA on my XP Home machine and at first it was a total PITA with way too many apps needing admin access to do anything. For those there were two options: run as admin (no way) or use CACLS to grant the LUA access to certain directories in Program Files and a program to allow those that demand admin to run no matter what directory access you grant them.
      Now I know this is the fault of the app designers but it's pointless to blame the users for not wanting to put up with the tedious aggro of try
    • Gee, Why do most users run Windows as admin every day? [pluralsite.com] Stupid programming by third-party vendors (or sometimes even on Microsoft's part), and runas is too much of a pain for the average user (and re-introduces the exploit ANYHOW). If, say, Quickbooks calls Outlook through MAPI and Outlook is configured to use Word as its editor (the default configuration IIRC) and the template just happens to have the infection in place in normal.dot, guess what? Even though the user is set up as a limited user, the user j

  • Most of us shouldn't have to worry... (Score:3, Interesting)

    by pla ( 258480 ) on Friday May 19, 2006 @02:46PM (#15367671) Journal
    FTA: Symantec's DeepSight team said the exploit successfully executes shellcode when it is processed by Microsoft Word 2003. The malicious file caused Microsoft Word 2000 to crash, but shellcode execution did not occur.

    Wonderful! So it only affects the latest-and-greatest versions of Office. Considering that MS hasn't added anything since Office 95 (I still run '97, myself), I expect only business users on SA should ever get hit by this exploit.


    Then again, I suppose this means that Microsoft has added something, at least since Office 2000... Namely, more security flaws. Woot! Way to go Billy G! "Focus more on security" indeed.

  • Good thing... (Score:3, Interesting)

    by DnemoniX ( 31461 ) on Friday May 19, 2006 @02:47PM (#15367676)
    Guess it is a good thing that I haven't seen enough added value to justify a move from Word 2000 to 2003 in our organization.

  • DEP? (Score:4, Interesting)

    by urikkiru ( 801560 ) on Friday May 19, 2006 @02:47PM (#15367678) Journal
    Does this still work with hardware supported Data Execution Protection enabled I wonder? Just curious. Seems like the kind of thing it's supposed to trigger against. I know that with it enabled, I can't profile a visual studio project I'm working on, as the profiling app hooks into the memory of the app I'm working on. Not sure if this is a similar thing though. But still, seems like something that should be a clear separation between executable and data segments of memory.

  • Only a taste... (Score:5, Funny)

    by gerrysteele ( 927030 ) on Friday May 19, 2006 @02:49PM (#15367691)
    ...of things to come. This is the Microsoft Windows Vista teaser trailer :p
  • And this just brings us right back to the oldest antivirus solution in the book: if you don't know the sender, DON'T OPEN THE FILE. You'd think people would catch on by now...

    • Re:Geez. (Score:5, Insightful)

      by LurkerXXX ( 667952 ) on Friday May 19, 2006 @03:14PM (#15367912)
      if you don't know the sender, DON'T OPEN THE FILE

      WRONG! Modern viruses, for YEARS now, have set their 'sent from' address as a random address they found in either the internet cache, or ADDRESS BOOK of the infected machine. Often many people in a random address book already know each other. That means the virus has a very good chance to be sent 'from' someone you know (in the address line), although that person didn't send it.

      Don't trust an attachment just because it appears to come from someone you trust. If you aren't expecting that exact attachment, or there isn't very very clear working in the email that would make it relevant to something you know about rather than some generic topic, don't open it. Take two seconds and email the person back and ask what it is.

      Trusting an attachment just because it appears to come from someone you know is STUPID.

  • Seeing as I don't run as an Administrator on my box when I'm not administering, the exploit is neutralized by simple lack of privielges. Still sounds nasty nonetheless.
  • For all we know, the Zombie Overlords live in Scranton, NJ or Brazil.

    They're just using the incredibly insecure servers one can find in China and nearby countries to base the attacks from.

    Now, that doesn't mean they aren't Chinese - in fact, that's quite possible - just that where an attack comes from is frequently not where the people who set it off are based in.

  • security? (Score:5, Informative)

    by pe1chl ( 90186 ) on Friday May 19, 2006 @02:57PM (#15367750)
    As a temporary mitigation method, Symantec is recommending that Microsoft Word document e-mail attachments be blocked at the network perimeter.

    How about:
    - make sure your users don't work as administrator but under an unprivileged user account
    - setup the system so that this unprivileged user account cannot write in %windir% and %ProgramFiles%
    - build the network in such a way that programs cannot directly "connect home" but can connect to the Internet only via well-defined proxy servers
    - setup mail so that incoming office documents opened from mail do not open in Office but in the free Office viewers instead

    • Now now now..

      You're getting all fancy schmancy. Besides, how would that help Symantec annoy MS? We have to keep our head and priorities about us in these hectic times and stay focused on the goal.

    • Re:security? (Score:3, Interesting)

      by NeutronCowboy ( 896098 )
      Ah.... the old "castrate the user so that they can use Word, email and minesweeper only."

      Let me give you an example: I work as a consultant. My laptop is my life. Every week, there is a chance that I'll have to install some weird VPN software on it, program demos, home grown connection programs and change my registry, firewall and connection setting so that I can properly work in the client's network. If my laptop is set up to your specifications, I'm out of my job. For the simple reason that I don't have

  • My PC Compatriots Won't Listen... (Score:3, Insightful)

    by BoRegardless ( 721219 ) on Friday May 19, 2006 @03:41PM (#15368118)
    ...when I tell them, that my Mac OSX laptop is the CHEAPEST form of absolute insurance against the MS EULA protected gross safety problems of MS's XP Pro & MS Office.

    They do critical MSWord docs back and for with clients and the FDA in Wash. D.C. all day long, and I really don't think they accept how risky this is today, particularly if a document comes in forwarded from a reliable source that has had the malicious RootKit somehow patched onto an other wise legitimate document that they need to file with the FDA.

    Of course that makes me wonder how the FDA handles a malicious MS Word document. They are no different than anyone else in receiving zero day exploits.

    Each time a zero day or other serious problem hits, I remind them, but they are literally afraid of having to learn something new, & so stick with the MS offerings.

    • Re:My PC Compatriots Won't Listen... (Score:4, Insightful)

      by necro2607 ( 771790 ) on Friday May 19, 2006 @04:04PM (#15368296)
      Even worse, Word .Docs contain huge amounts of "history" in them.

      I have, many times, opened project scope documents (obviously having been based off of older docs) and seen the private/confidential project details of past clients (to the extent of specific dollar amounts etc.)... All because Word, behind the scenes, tracks your changes as some kind of "convenience"...

      I'm sure you can turn off that option, but just consider the technical knowledge of the average marketing/sales person in the office...

      In a small business without some strict & exact security policies, it's obviously very easy for default settings like these to exist completely unnoticed for years (no one noticed until I was like WTF when I joined the company)...

  • WordPad (Score:5, Informative)

    by Nom du Keyboard ( 633989 ) on Friday May 19, 2006 @04:35PM (#15368538)
    Open your .doc documents in WordPad. The nice thing about it, aside from it being free and included in all flavors of Windows, is that it's too stupid to do any of the fancy stuff. It has long been a favorite to avoid macro viruses for the same reason.

  • feature that can be disabled (Score:3, Informative)

    by jnf ( 846084 ) on Friday May 19, 2006 @11:57PM (#15370587)
    I'm not at liberty to mention what the bug is specifically, but all these people suggesting absurd fixes (i.e. links and not attachments [what will this accomplish? If a user will click an attachment do you think they won't click a link??] or switching to OO [sorry its gimpy at best]), all of these people will find themselves feeling silly when they find out the source of the bug and realize that they can just disable that functionality.

Slashdot Top Deals

What is research but a blind date with knowledge? -- Will Harvey

Close