MS Word Zero-Day Exploit Found

subbers writes "A zero-day flaw in Microsoft Word program is being used in an active exploit by sophisticated hackers in China and Taiwan, according to warnings from anti-virus researchers. The exploit arrives as an ordinary Microsoft Word document attachment to an e-mail and drops a backdoor with rootkit features when the document is opened and the previously unknown vulnerability is triggered. From the article: 'The e-mail was written to look like an internal e-mail, including signature. It was addressed by name to the intended victim and not detected by the anti-virus software.'"

At least it's not open source

You know how unreliable OSS is after all...

Name Change?

Maybe they should consider renaming MS Word to MS Access?

Not overly bad, combined with some others bad.

This type of spam isn't too bad given traditional spam methods, as smarter users won't open attachments from people they don't know. The dumb ones generally dont know a word doc from an EXE so hopefully they are also avoiding most attachments. However there have been a few articles [arstechnica.com] on the future of spam and local data mining. Consider what would happen if the next virus your co-worker got looked through their emails, found the last word document they sent out, and then copied that but embedded this exploit. They might even say, its been revised please have another look. The chances you wouldn't open this are extremely low, and especially when you are opening a normally okay attachment. It is coming from someone you know, from their computer, through their isp, and even is styled the same way as normal. The question is how will we attempt to combat such things? It doesn't just have to do with holes in microsoft office, or any other format too. When local data mining is combined with exploits in any other common formats (give the image exploits of other os's even) you now have a delivery method that can almost promise execution.

Re:Not overly bad, combined with some others bad.

You haven't done any computer support for non-technical people in a long time, have you? It's only been a couple years since I broke free from the shackles of technical support, so believe me when I say way too many people will open this without thinking twice.

Re:Not overly bad, combined with some others bad.

Are You Serious?!?!

So your saying in the age of the modern broadband; in the age of rich deliverable content; you are saying we should send text only? That's great. It's got nothing to do with fundamental inherent security issues in Microsoft's software made in poor architecture judgements, as well intended as they were.

It's the fault of a fundamental concept in email delivery, which non microsoft users use without fear.

hmmm.... don't think so. not at all.

Re:Not overly bad, combined with some others bad.

What virus infected document? The one that couldn't be emailed to me?

You mean the one that has to be sitting on a server for me to get. That document was blocked a long time ago when someone else clicked on it and IT security stopped access to the IP at the firewall to prevent further spreading from the source.

And now, since I cannot email it to someone else, the virus has to share itself on my drive and spread that link around. Only it can't because the workstation doesn't allow shares. There is a corporate share I place docs on.

So not the virus has to find the corporate share, find a directory I have access to and embed itself there. Then email others in the company. Only most others in the company don't have access to the share I have access to. So most can't open the document.

Now you've slowed it down to only spreading to the team with rights to the share using a medium which can be managed - temporarily block the share - scan for the document and remove it - turn the share back on. Other team members risk sharing with the few people they interact with from other teams, but the virus has to find which people those are from the permissions on the share versus mailing list - a sparse matrix.

Re:Not overly bad, combined with some others bad.

So, instead of attaching files to e-mails we should:

• All run webservers and have e-mail programs that know how to publish to them and all of the cool new security issues that'll bring with it.
• Or, we should all rent access on a webserver somewhere and either know how to publish documents on it, or have our e-mail program do that.
• Or, we could all have publically accessible Windows Shares where the URL://fredsbox/myshare will somehow magically work everywhere.

New Microsoft Outlook 2007, The Safe Way
No more of that nasty bold text (or any other formatting for that matter) ruining your otherwise clean message.
Enjoy getting humorous images mailed to you? Not any more!!!
Viruses, no way, not in a text only package! (Unless the sender figures out something we didn't check, like, a buffer overflow if you make a line of text 4097 characters with no breaks.)
E-cards are so 2006, NOW ASCII-cards!!!

Good lord

Refer to a url pointing at a share within the company instead.

Have you never heard of phishing?

When do we see a patch?

Is there already a race on for releasing a patch? Can the anti virus companies detect it?
I guess it will be a mess if they dont start detecting it soon.Of course MS will be flamed again.

is Microsoft this fragile?

A recent slashdot story asked the question, "Is the internet that fragile?" When I see stories like this, it reminds me and should remind everyone of the other fragile technology(ies), Microsoft and their baggage.

Consider that many on-line applications for jobs require cover letters and resumes as WORD attachments. Now, consider the temporary suggested workaround:

As a temporary mitigation method, Symantec is recommending that Microsoft Word document e-mail attachments be blocked at the network perimeter. "Furthermore, extreme caution should be exercised while processing Microsoft Word attachments received as an unexpected e-mail Attachment," company officials said.

This is disruptive and lose-lose, either organizations heed the advice, and now for as long as it takes to fix Microsoft's problem applicants will have their documents blocked, or some of these hackers profuse their new hack and compromise organization's infrastructure.

Microsoft has made our bed, and now we all must sleep in it (ick). It's unacceptable that such an exploit could so easily take control and wreak damage. Why can a simple e-mail get in and twiddle with what should be administration-priveleged system resources? I know the recommendation is everyone accessing their XP as non-administration users, but how do you enforce that, especially when for so long so many of the out-of-the-box configurations make administration rights the default login?

I must say I admire Microsoft's savvy more each day in their EULA -- crafted to absolve Microsoft of any responsibility for bad things happening to users because of Microsoft's software. It must be reassuring to offer a product and not have to assume responsibility. What a unique privelege

Of course, a good outcome from this would be to reconsider the global transport of exchanging documentation (e.g., resumes and cover letters, etc.) to something a little less Micrsoft, a little more open, and a little less prone to exploits. That can't happen soon enough.

Re:is Microsoft this fragile?

I must say I admire Microsoft's savvy more each day in their EULA -- crafted to absolve Microsoft of any responsibility for bad things happening to users because of Microsoft's software. It must be reassuring to offer a product and not have to assume responsibility. What a unique privelege

You act like MS is the only company that does this. Nothing could be further from the truth.

a better workaround

The exploit only works properly in Office 2003 (and crashes Office 2000). Given that emailed DOC files are pretty much required for millions of people to do their jobs, the most effective short-term workaround is use something else to read DOC files [openoffice.org].

Re:is Microsoft this fragile?

I must say I admire Microsoft's savvy more each day in their EULA -- crafted to absolve Microsoft of any responsibility for bad things happening to users because of Microsoft's software. It must be reassuring to offer a product and not have to assume responsibility. What a unique privelege
"Unique privelege (sic)"? Not quite.. just about every software company absolves itself of legal responsibility in this way.. why, even the GPL does it.

Not funny

How many EXTREMLY critical flaws is it already Word documents have?
How is it possible these things still keep coming up.
It's not even funny anymore...

Re:Not funny

What really gets me is how rarely the methods these vulnerabilities use are used for useful purposes.

In most cases rich text or even plain text documents are more than adequate. Do memos and resumes really need to have executing code in them?

In related news

Sony announces it will be sending an apology note to users who were infected by their rootkit DRM. The apology will be in .doc format.

In other news...

Microsoft: Open source 'not reliable or dependable' [zdnet.com]

real damage?

Finnish anti-virus vendor F-Secure said a successful exploit allows the attacker to create, read, write, delete and search for files and directories; access and modify the Registry; manipulate services; start and kill processes; take screenshots; enumerate open windows; create its own application window; and lock, restart or shut down Windows.

Yeah, but can they do any real damage? : p

Question

Would someone with more knowledge than me explain the term "zero day"?

Re:Question

Zero Day means that the vulnerability was previously unknown. Hence there are no days between dicovery of the vuln and dicovery of the exploit in the wild.

Re:Question

Hmm the Wikipedia page doesn't really explain it very well: http://en.wikipedia.org/wiki/Zero_day [wikipedia.org] so let me try.

It means that the exploit was discovered by crackers before any patch has been made available to the public. In other words there is nothing you can do except not open any .doc files unless you want to run the risk of being cracked.

But of course, everyone knows that Word is full of holes because no-one has really attempted to use it as an attack vector yet since there are many easier ways [microsoft.com].

Re:Question

Would someone with more knowledge than me explain the term "zero day"?

N (where N >=1) day exploits refer to the number of days after a vulnerability and/or patch is made available that it takes for exploits to occur. If Microsoft releases a patch on the 12th and an exploit is written on the 15th, that would be 4 day exploit. Some people would consider it to be a 3 day exploit, not counting the day of the announcement.

Zero day refers to an exploit that uses a previously unknown vulnerability in software, or in some special cases, finds a way to turn a previously known flaw from something that wasn't considered bad enough to patch to a dangerous situation. Zero day exploits are dangerous in that there are no patches for them, although in some cases it can be prevented/mitigated by firewalls or Intrusion Prevention Systems. On the other hand, zero day exploits are often held closely by the people who discover them in order to gain the maximum advantage from it. For example, the exploit used on debian.org a few years ago was not disclosed in order to use it to penetrate several huge names in the open source community. Once a zero day exploit is made public knowledge, it will be focused on and patched.

There is also an archaic use of the term from the old days of pirate BBSes - back when delivery of cracked software was slow, difference BBSes would have better priority on getting delivery of that software. The most important ones would get the software the day it was released by the cracking group and would be described as having 0 day warez. Broadband/P2P/etc. has made the use of this term out of date, although it's entirely possible that some people still use it in this context.

Ahh Microsoft

I would like to point out that as a pen tester, Microsoft product really *DO* make my job easier.

Just how much is 'exploited'?

Is this an exploit that somehow grants malicious code access privledges even beyond the user's access level, or does this simply allow execution of arbitrary code at the access level of the user who is running Word?

If it is the former, then it's a very serious flaw. If it's the latter, then it's a serious flaw, but one that will only really adversely affect people stupid enough to run as Administrator all the time, despite Microsoft's own warning against such idiotic practices [microsoft.com].

If it is the latter, then I have further justification to use against the users who have complained about using their Administrator privledges.

Most of us shouldn't have to worry...

FTA: Symantec's DeepSight team said the exploit successfully executes shellcode when it is processed by Microsoft Word 2003. The malicious file caused Microsoft Word 2000 to crash, but shellcode execution did not occur.

Wonderful! So it only affects the latest-and-greatest versions of Office. Considering that MS hasn't added anything since Office 95 (I still run '97, myself), I expect only business users on SA should ever get hit by this exploit.


Then again, I suppose this means that Microsoft has added something, at least since Office 2000... Namely, more security flaws. Woot! Way to go Billy G! "Focus more on security" indeed.

Good thing...

Guess it is a good thing that I haven't seen enough added value to justify a move from Word 2000 to 2003 in our organization.

DEP?

Does this still work with hardware supported Data Execution Protection enabled I wonder? Just curious. Seems like the kind of thing it's supposed to trigger against. I know that with it enabled, I can't profile a visual studio project I'm working on, as the profiling app hooks into the memory of the app I'm working on. Not sure if this is a similar thing though. But still, seems like something that should be a clear separation between executable and data segments of memory.

Only a taste...

...of things to come. This is the Microsoft Windows Vista teaser trailer :p

Oops..

Like this guy [slashdot.org] has been saying all along, commercial sofware are more dependable, reliable....


For Hackers..

Queen: *dong* *dong* *dong* another one bites the dust!.

This is nonsense!

I've read comments from Microsoft trolls on at least 2 other articles saying that if I have up to date virus definitions and a working firewall I'll never experience any infection from anything like this.

Over, and over, and over, and over, and over, and over, and over, and over, and over, and over, and over, and over, and over, and over, and over, and over, and over, and over, and over, and over, and over, and over, and over, and over, and over, and over, and over, and over, and over, and over, and over, and over, and over, and over, and over, and over, and over, and over again.

How many years have y'all been virus free, boys? 5? 50? 500? Because, after all, people never get viruses when they have all the avaliable OS updates, all the AV definitions up to date, and a working firewall. Right? /flameretardant materials on. I expect the MS fanbois to be storming this article in a matter of minutes.

Geez.

And this just brings us right back to the oldest antivirus solution in the book: if you don't know the sender, DON'T OPEN THE FILE. You'd think people would catch on by now...

Re:Geez.

if you don't know the sender, DON'T OPEN THE FILE

WRONG! Modern viruses, for YEARS now, have set their 'sent from' address as a random address they found in either the internet cache, or ADDRESS BOOK of the infected machine. Often many people in a random address book already know each other. That means the virus has a very good chance to be sent 'from' someone you know (in the address line), although that person didn't send it.

Don't trust an attachment just because it appears to come from someone you trust. If you aren't expecting that exact attachment, or there isn't very very clear working in the email that would make it relevant to something you know about rather than some generic topic, don't open it. Take two seconds and email the person back and ask what it is.

Trusting an attachment just because it appears to come from someone you know is STUPID.

doesn't affect me

Seeing as I don't run as an Administrator on my box when I'm not administering, the exploit is neutralized by simple lack of privielges. Still sounds nasty nonetheless.

Clarification: Attack is from China, not of China

For all we know, the Zombie Overlords live in Scranton, NJ or Brazil.

They're just using the incredibly insecure servers one can find in China and nearby countries to base the attacks from.

Now, that doesn't mean they aren't Chinese - in fact, that's quite possible - just that where an attack comes from is frequently not where the people who set it off are based in.

security?

As a temporary mitigation method, Symantec is recommending that Microsoft Word document e-mail attachments be blocked at the network perimeter.

How about:
- make sure your users don't work as administrator but under an unprivileged user account
- setup the system so that this unprivileged user account cannot write in %windir% and %ProgramFiles%
- build the network in such a way that programs cannot directly "connect home" but can connect to the Internet only via well-defined proxy servers
- setup mail so that incoming office documents opened from mail do not open in Office but in the free Office viewers instead

Re:security?

I do understand your frustration. I really do.

I don't think so. The system at work has been running like described above for 5 years and there are no real problems. And we are not sitting shaking in our chairs waiting for the next trojan or virus.

many applications still rely on being able to write to their %ProgramFiles% folder

Mostly just hobbyist-in-a-garage stuff and telebanking applications. More serious developers have read Microsoft guidelines over the past years, especially when XP SP2 came out.
The very few exceptions can be managed using a global group and an ACL entry.

Oh, but your only going to let them run the apps that *you* say they can.

This is the basis for any managed IT environment.

Got any remote workers?

Remote workers can only work via the VPN. Because a group policy applied firewall prevents them from connecting directly to the Internet.
Via the Internet they can connect home over VPN and then back out for websurfing via the proxy. This works well.

they have to close the viewer, save the file, open in word, edit, save, email.

Maybe you need to install the viewers and have a look. They actually have a menu entry to "open this document for editing" which automatically transfers control to Office.
I actually dislike the idea of opening an attachment from a basically read-only entity like an incoming mail into a read/write application by default. Users will start editing the document and forget that it cannot be saved back to the original location.
Opening in a viewers shows the user that it is read-only document that they need to save elsewhere to edit it.

The real question is

Can Openoffice.org import those special Doc ?

Wouldn't this be considered...

Wouldn't this be considered more of a trojam than an exploit?

There is a REALLY simple solution here...

There is a painfully simple solution to this ... filter email, but not like the article says ... blocking ALL .doc attachments is just stupid.

Symantec is recommending that Microsoft Word document e-mail attachments be blocked at the network perimeter.

Give me a sample of the code and I'll write a procmail and/or spamassassin filter that either /dev/null's infected messages or assigns it a zillion points. ... I can't find the exploit code. Maybe it's not that simple ... damn politics ... <grumble> ...

My PC Compatriots Won't Listen...

...when I tell them, that my Mac OSX laptop is the CHEAPEST form of absolute insurance against the MS EULA protected gross safety problems of MS's XP Pro & MS Office.

They do critical MSWord docs back and for with clients and the FDA in Wash. D.C. all day long, and I really don't think they accept how risky this is today, particularly if a document comes in forwarded from a reliable source that has had the malicious RootKit somehow patched onto an other wise legitimate document that they need to file with the FDA.

Of course that makes me wonder how the FDA handles a malicious MS Word document. They are no different than anyone else in receiving zero day exploits.

Each time a zero day or other serious problem hits, I remind them, but they are literally afraid of having to learn something new, & so stick with the MS offerings.

Re:My PC Compatriots Won't Listen...

Even worse, Word .Docs contain huge amounts of "history" in them.

I have, many times, opened project scope documents (obviously having been based off of older docs) and seen the private/confidential project details of past clients (to the extent of specific dollar amounts etc.)... All because Word, behind the scenes, tracks your changes as some kind of "convenience"...

I'm sure you can turn off that option, but just consider the technical knowledge of the average marketing/sales person in the office...

In a small business without some strict & exact security policies, it's obviously very easy for default settings like these to exist completely unnoticed for years (no one noticed until I was like WTF when I joined the company)...

Are people really suggesting...

1. That I just not use my computer. (If I can't open files that appear to be from business clients, um what files can I open?)

2. That Word 97 is better than Word 200whatever?

There is no reason.....

.....to ever, ever, EVER open any attachment that came via e-mail unless you are (a) expecting it, (b) know what it is, and (c) know who it came from.

Since all these factors can be spoofed, insist that anyone who is sending you an attachment first send you a plain text e-mail advising you that he/she is about to send the attachment. This message should include your name in the body in the text, a brief description of what is being sent, and maybe even a worded statement of the date and time to confirm the time stamp. You could even establish a code word or phrase with regular correspondents and ask that they include that in both subject line and text body. Conversely, if you do receive an unexpected attachment, but it appears to be from a known correspondent, e-mail them and ask if they sent you a message with attachment with subject line XXX at such and such a date and time.

Seem like a lot of trouble to go through? Compare the momentary annoyance to the time and cost of ridding your machine of a nasty virus. I've known people who are well aware of the ticks and trades of virus sending assholes who get infected simply because they get careless or lazy and don't take steps such as the above.

Where's the exploit?

How is this a 0-day exploit? we've known ms-word was a security hole for somehting like a decade.
Were there some people out there who thought that it was safe to open a word doc before today?

I'm mean heck, you can hardly blame MS, it must be really hard to come up with a secure way of storing formatted text... i mean, what with it's inherent ability to carry viruses and all.... (head asplodes)

WordPad

Open your .doc documents in WordPad. The nice thing about it, aside from it being free and included in all flavors of Windows, is that it's too stupid to do any of the fancy stuff. It has long been a favorite to avoid macro viruses for the same reason.

Can use this to advantage

We can all take advantage of this - from now on if a vendor sends you a Word document insist that for security reasons they cannot open it and should send you a PDF or OpenOffice document instead.

More Anti-China propaganda.

Ooooh. "Hackers" in China and Taiwan are "Sophisticated". Oooh. Fear.

I'm getting sick of this bullshit.

It's growing increasingly obvious with every slanderous remark about the 'evil' Chinese that the West is trying to create a new 'Evil Empire' to scare us all with. Probably, (among other things), to fuel the endless weapons industry and keep the public too distracted to get down to the much-needed task of hanging all the president's men.

If the Chinese media weren't busy doing the same thing to their own populace, I'd be slightly less worried, but the fact of the matter is that 'somebody' wants us all fearing and hating one another. What a load of crap!

When you can watch unfolding such a deliberate effort to herd the world's population into specific (stupid and self-destructive) thought patterns, it seems very obvious that there's already a One World Government nestled in place, pulling all the strings, and generally being vile and nasty in their total disregard for compassion and decency.

Every time you see a story about the 'Evil Chinese' remember this: You are being manipulated.

But also remember, it is your choice as to whether or not you go along with it. I very much hope there is somebody saying the same things in Mandarin.

-FL

Solution for GroupWise users

Groupwise has a nice feature for dealing with attachments that can be set in the preferences: to use the built-in viewer, which is independent of Office. You can see the contents but it doesn't execute any code. IIRC, it's under Tools > Options > General -- look for the radio buttons marked "Default Attachment Behavior" (or something) and set it to View, not Open.

This was such a useful setting that I made it one of the first things I demonstrated to users during the open monthy training sessions. They loved it, and nobody ever suspected it was there or what it was good for.

I have no idea if Outlook has anything similar that's not so tied into the Office renderer that it would be indistinguishable. I forget the name of the technology, but it's awesome. It has just about every document type filter known to man. I've opened CAD schematics with it. No joke.

Say what you like about GroupWise, but I remember during my helpdesk years that every day a new email virus exploit was announced, I felt a little better about things. I also knew who I was going to get calls from that day: the five people on campus who simply would not give up Outlook.

feature that can be disabled

I'm not at liberty to mention what the bug is specifically, but all these people suggesting absurd fixes (i.e. links and not attachments [what will this accomplish? If a user will click an attachment do you think they won't click a link??] or switching to OO [sorry its gimpy at best]), all of these people will find themselves feeling silly when they find out the source of the bug and realize that they can just disable that functionality.

Re:Yes, but...

Probably, but only if:

1. WINE is installed
2. MS Office 2003 is installed
3. user is careless

Re:All your DOCs are belong to us!

All your DOCs are belong to us!

You mean "DOC".

Re:Lenovo PC's only (Mod Down -incorrect)

This statement is incorrect, and I suppose it was meant to be sarcasm of some sort, however my sarcasm detector is having a glitch. The exploit does not care what make or model the computer is, only that it is running MS Office.

HTH, HANDA

Re:Hmm...

You don't like formatting your postgres output in LaTeX?