Slashdot Log In
Microsoft Issues Zero-Day Attack Alert For Word
Posted by
kdawson
on Tue Dec 05, 2006 09:51 PM
from the incoming dept.
from the incoming dept.
0xbl00d writes "Eweek.com is reporting a new Microsoft Word zero-day attack underway. Microsoft issued a security advisory to acknowledge the unpatched flaw, which affects Microsoft Word 2000, Microsoft Word 2002, Microsoft Office Word 2003, Microsoft Word Viewer 2003, Microsoft Word 2004 for Mac and Microsoft Word 2004 v. X for Mac. The Microsoft Works 2004, 2005 and 2006 suites are also affected because they include Microsoft Word. Simply opening a word document will launch the exploit. There are no pre-patch workarounds or anti-virus signatures available. Microsoft suggests that users 'not open or save Word files,' even from trusted sources."
Related Stories
[+]
No Fix for Word Next 'Patch Tuesday' 80 comments
Sktea writes "A spokesman for Microsoft has said that they will issue no patches on the next 'Patch Tuesday' for versions of Word vulnerable to the recent zero-day threat. There is no mention whatsoever of the omission in the latest advance notification at the company's security site." From the article: "The software maker is working on a security update, but apparently needs more time. The company did not specify how many flaws Tuesday's updates will address or in which components of Windows the holes lie. The Visual Studio update could offer a patch for a zero-day vulnerability in the developer tools that was made public last month. "
[+]
Patch Tuesday — IE7 Clean 75 comments
jginspace writes "As per the advance notification, Microsoft's monthly security bulletin, released yesterday, addressed five general Windows issues and one in Visual Studio. It also included a fix for a problem in Outlook Express for a total of seven updates. As patch Tuesdays go it was fairly unremarkable. The only general Windows update labeled 'critical' is for a flaw in Media Player. As usual, there's a cumulative update for Internet Explorer, but significantly, the only versions of IE affected are 5 and 6. Version 7 is clean — which is welcome news in this first update since the upgrade was pushed to the world last month. Microsoft was silent on the two zero-day Word holes, one reported here and a new one. Sans is calling this 'Black Tuesday' and recommends patches be applied urgently for the Visual Studio and Media Player vulnerabilities. Sans is recommending the Heise Offline Update utility covered in a previous story."
This discussion has been archived.
No new comments can be posted.
Microsoft Issues Zero-Day Attack Alert For Word
|
Log In/Create an Account
| Top
| 483 comments
(Spill at 50!) | Index Only
| Search Discussion
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
(1)
|
2
(1)
|
2
Microsoft Recommends.. (Score:5, Funny)
Now might be a good time to try ... (Score:5, Informative)
Re:Now might be a good time to try ... (Score:5, Insightful)
Yes! Great idea! Just trust all of your internal documents to a random third party company with no privacy guarantees. But hey, at least they've made a vague "Do no evil" promise!!1!
Re:ITS A TRAP! (Score:5, Funny)
It's always worked in the past. Why change a winning formula?
Its a good thing (Score:4, Funny)
(http://www.lireland.com/)
Microsoft is just taking the paperless office to the next level - the documentless office.
Re:Now might be a good time to try ... (Score:5, Insightful)
Not that I'm suggesting Microsoft engineered it, mind... but it might not be as bad for them as seems initially
Re:Microsoft Recommends.. (Score:5, Funny)
Re:Microsoft Recommends.. (Score:5, Funny)
Re:Microsoft Recommends.. (Score:5, Insightful)
A broken lock is a broken lock even if no one takes advantage of that fact.
Re:Microsoft Recommends.. (Score:4, Funny)
Re:Microsoft Recommends.. (Score:4, Funny)
Re:Microsoft Recommends.. (Score:5, Insightful)
(http://www.firehed.net/)
Maybe the notion of writing all my papers in HTML wasn't so insane after all... no more of these archaic "pages", and it would certainly be a more reliable way of turning in assignments than e-mail attachments. Take care of a formatting stylesheet once, and from there on it's just using the <p> tag to full appropriateness.
Re:Microsoft Recommends.. (Score:5, Informative)
The usual reason - a local buffer created from the stack set to a fixed size. ie.
char cbuf[MAX_BUFFER];
I would guess that the Microsoft Word document file will be arranged using a chunk data format:
file header followed by object headers with type, version, length, followed by binary data for that object
In this way, unknown chunks can just be skipped over.
It would be no surprise that each programmer coding a particular object (formula, table) would assume that only
they would be theonly one writing read/write routines for their particular object, and choose to use a local stack
buffer to store the raw binary data, before converting it to the internal data structure.
When reading the document, they would just read the header as normal (type,version,length), then read the specified
amount of object data without checking the validity of the length.
And it only takes one programmer to make this mistake in order to create a security vulnerability that compromises
the entire application. Get the right type of data in the Word document, and you could theoretically load and execute
some executable code stored the file.
Re:Microsoft Recommends.. (Score:4, Insightful)
Given the choice between random sub-second hangs and random crashes with occassional virus infection, I'll take the former any day. Besides, modern VMs compile everything to machine code prior to execution (JIT), so there shouldn't be any significant speed penalty to them - and there isn't, as far as I can tell.
I guess they'll be seeing a lot of exploits in the future too, then.
Re:Microsoft Recommends.. (Score:5, Interesting)
(http://theravensnest.org/ | Last Journal: Sunday October 07, @07:05AM)
I don't use a word processor, I use LaTeX, which seems to have much better layout rules than any version of Word I have seen. The document I am working on is around 200 pages. Compiling it (including invoking gnuplot to draw a load of graphs, pulling in a few code files and syntax highlighting them, constructing an index and bibliography, and making sure all cross-references are correct) takes 7 seconds of wall time on my current laptop, and most of that is time spent waiting for I/O.
Oh, and much of the typesetting code used by LaTeX is written as interpreted macros that are run by the TeX runtime system. If it were all hard-coded, even in Java, it would be even faster.
Earlier this year, I saw a demo of a typesetting system written in Smalltalk (and running in the Squeak VM) that represented every character as an object, with simple rules (e.g. stay next to next character, jump to next line if you are over the margin, jump to the end of line if there is only whitespace between you and the end of line). It ran very fast; he dragged an image across a multi-page document, and the text re-flowed around it, and the entire thing was written in a couple of pages of Smalltalk.
If pagination is slow in Word, then I can only imagine it's because the developers need replacing.
Re:Microsoft Recommends.. (Score:4, Insightful)
You want LaTeX. If you're running KDE, you can't beat Kile [sourceforge.net] as an editor.
Re:Microsoft Recommends.. (Score:4, Informative)
Also observe that Office 2007 isn't affected. Obviously MS is doing something right in the next generation of their products.
Re:Microsoft Recommends.. (Score:4, Insightful)
Re:Microsoft Recommends.. (Score:4, Insightful)
(Serious non-flaming post ahead so don't mark me troll before at least reading!)
Putting aside your Microsoft fanboy attitude of 'oh just buy the next version and all will be well!' lets look at this objectively. And for the sake of being kind I wont go into details of how painful this will be for business in general; Sticking to the simple points will do just find to point out how horrible this is.
> Do not open or save Word files that you receive from un-trusted sources or that you receive unexpectedly from trusted sources.
Now you sound new to the world of tech as you haven't been embittered against Microsoft so I'll give you a break on this one. End users have two types of authentication; 'This looks shiny' *click* and 'Oh I know this person' *click*. So in reality the summary is an effective warning and really if some one in a business gets a document saying AccountsNov06.doc who is to say it is expected or unexpected - some one sent you the accounts and a nice little social engineering spiel to lure you to the click. Yes boss, three bags full boss.
> The vulnerability cannot be exploited automatically through e-mail. For an attack to be successful a user must open an attachment that is sent in an e-mail message.
> It can't be triggered automatically, and limited accounts (like every Vista system) will be largely unaffected. (Because exploits will usually try to root the box or install something, both of which will be prevented.)
See previous post about *clicky*. If you boss tells you to deal with AccountsNov06.doc then you deal with AccountsNov06.doc and that usually, if I'm not mistaken, involves opening it for a start. Also largely unaffected; what does that really mean? There will be a box come up saying 'Click me like you usually do as I get in the way of every simple task' because let me tell you as a system administrator even I started clicking them without thinking after two hours of testing Vista. Finally on this topic users who have limited accounts is a joke - even with your AD locking down almost all of the system most places still allow execution of applications and scripts which may have decent root kitting abilities that bypass user rights - only high schools and net cafes go the whole nine yards.
And lastly you have the gem of saying Microsoft is great because their next product line isn't affected. I think the parent to this post addressed this point perfectly with the following:
> You mean like not releasing them yet?
Which points out the flaw in your argument very nicely. Still it is worth expanding for those unfamiliar with Office 2k7 in that a) it implements a new XML document format which has nothing to do with
Either way before you mouth off at Slashdot consider the topic and its implications to users and business first; there are many real Slashdot exaggerations that are stabs at Microsoft and this isn't one of them. Some times it is apt to say that Microsoft really did drop the ball.
Re:Microsoft Recommends.. (Score:4, Insightful)
Also it is nice that you have time and the interest to educate your clients and I commend you (please assume no sarcasm in that line). Unfortunately as per a generalisation I do not believe your case is common and then of no important to the claim. Also many sys admins are in the added disadvantage that those who break the system are equal to them in standing and prefer to run their own affairs as they are 'grown ups who can tell the difference between right and wrong'...And seriously what can you say against that? While I will say they are pre-school children when it comes to computer based personal authentication I would never say it to their faces as they simply wouldn't understand the context and scope it was meant in. You may reply that I'm not giving my users enough credit...Though that is another argument which I'm not going to go into.
Note that our users also contact us when they are in doubt...Though it is rare that a doubtful response comes back from their 'friend' or 'shiny' assessment of a seemingly (to them) authentic email.
Re:Microsoft Recommends.. (Score:5, Insightful)
(http://www.yafla.com/dforbes/ | Last Journal: Tuesday September 27 2005, @10:43AM)
It's probably closer to the mark than "receive unexpectedly". If someone in a corporation became infected, and they infect documents on a shared network location -- game over. Other users don't have to "receive" it via a classic-email virus, but rather they just have to go about their daily business. You touched on this yourself, and it is why this does basically mean "there be dragons" for all word files in corporations.
Phew! Now that we know that the burgeoning community of Vista users will be "largely unaffected", we're safe! That comprises the set that downloaded and installed the RTM from MSDN, so at a minimum, around an installed base comparable to QNX.
In any case, "largely unaffected" is more deceptive than the Slashdot summary (which came right from Cnet) -- the risk of compromises nowadays are seldom that they'll reconfigure your drivers or repartition your drive, thus requiring admin rights (when was the last time a virus was actually maliciously destructive in such a manner?), but rather that they'll compromise data integrity/security. If Bob is a normal user, but he's in HR and thus has rights to HR information, then so does an exploit running as Bob the unprivileged numbers-monkey.
Re:Microsoft Recommends.. (Score:5, Insightful)
(http://www.kamilkisiel.net/)
As for being hardly affected, it simply says LESS affected. What's to prevent the trojan from taking over your Outlook client and using it to send spam and propagate itself to everyone you know as well. Doesn't take root to do that, nor countless other things.
Re:Microsoft Recommends.. (Score:4, Insightful)
Yes, you absolutely did. There are no exploits running around in the wild affecting Macs. You can't cite a single real-world example. Not a single one.
What you conveniently leave out when you cited the long-ago debunked Mac mini hack is that the Mac was previously configured to give anyone an account who requested one, including full SSH access to poke around. Even the readers at Digg tore this one apart. Hardly the typical situation.
Absolutely correct. None of them are being exploited at all.
And yet nobody's exploiting it, because OS X's security prevents access. Next.
Which should tell you just how "urgent" it was to fix something that wasn't really a problem in the first place.
Lies, lies, and more lies. 100% false in every way imaginable.
Uh, they do post security bulletins.
Ah, the old "false sense of security" canard, despite the fact THERE IS NOT A SINGLE EXPLOIT RUNNING IN THE WILD THAT IS INTRUDING ON A SINGLE MAC. You can't cite a single one. Go for it.
Do you have any other skewed, sliced-and-diced "facts" you want to post that I can debunk? Any articles you want to cite without revealing the full situation behind them? Clearly, you have some chip on your shoulder against Macs, but your shortcomings don't change the fact that there is not a single trojan or virus running the wild for Macs. Not one.
Next.
Looks like a long work day tomorrow (Score:5, Funny)
(http://www.perfectreign.com/)
Oh, wait - I don't do anything anyway and my life revolves around Excel.
Nevermind.
Re:Looks like a long work day tomorrow (Score:5, Funny)
very alone
Re:Looks like a long work day tomorrow (Score:5, Funny)
Re:Looks like a long work day tomorrow (Score:4, Insightful)
(http://madsoftware.blogspot.com/ | Last Journal: Tuesday November 18 2003, @03:00PM)
Then maybe OO.org devs should learn how to write proper C++ code. It doesn't have to be that way. And if you think that CLASS INHERITANCE is the only reason to use C++, then you don't know C++.
Re:Looks like a long work day tomorrow (Score:4, Funny)
(Last Journal: Friday March 14 2003, @08:05PM)
Umm... I think some out of work java programmers are with you. Oh, and I think you've got the support of memory chip manufacturers and makers of quad core CPUs.
Re:Looks like a long work day tomorrow (Score:4, Funny)
(http://www.zenera.com/ | Last Journal: Tuesday November 12 2002, @03:32AM)
>> That's a lot more than two words. Perhaps you should have used the preview button?
Never attended a presentation ? Thats actually a Powerpoint users notion of two words.
Re:Looks like a long work day tomorrow (Score:5, Funny)
(Last Journal: Friday December 17 2004, @07:14PM)
I don't know where you got your MBA, but the low-hanging fruit is there to be picked - in simple terms, you need to synergize new communications opportunities by leveraging existing facilities. Incentivize your staff to maximally capitalize on the benefits of an approach which unifies the output of global arboreal facilities, exsting team-member dexterity and some pens.
Lets see... (Score:5, Funny)
(http://jlarocco.com/)
So let me get this straight... For the time being the only safe Word files are new files that other people don't need to open?
But hey, you saved a ton of money on retraining costs.
what about OO.org? (Score:5, Insightful)
(http://www.myspace.com/mypetmachinemusic)
Good Advice (Score:4, Funny)
Good general advice, really. They should put that on the Office packaging, like on a packet of cigarettes.
ant
Work-Around = OpenOffice (Score:5, Informative)
Re:Work-Around = OpenOffice (Score:4, Insightful)
(http://www.rangat.org/rthille | Last Journal: Thursday November 23 2006, @12:20AM)
Not open or save? (Score:4, Funny)
Re:Bah, typical bullshit non-edited craptastic blu (Score:5, Funny)
Re:zero day (Score:4, Informative)
Re:zero day (Score:5, Informative)
(Last Journal: Friday October 25 2002, @11:31PM)
Misleading summary (Score:4, Informative)
2cv
Re:Article Summary is Flamebait (Score:5, Insightful)
Really? I get documents that I'm not expecting all the time. I never have any fears opening Latex documents from anybody. You Microsoft folks sure have funny security.
Re:Article Summary is Flamebait (Score:5, Funny)
Re:Article Summary is Flamebait (Score:4, Funny)
Just to be safe.. (Score:5, Funny)
Re:Just to be safe.. (Score:4, Funny)
Blurb slightly-FUD (Score:3, Informative)
(http://livejournal.com/users/repton_infinity/)
The actual quote from the Microsoft page is:
If you send an email to Fred saying "Can you send me xxxx", and Fred replies, saying "Here it is", you can probably safely open the attachment. You should just exercise caution when Fred sends you an email out of the blue saying "Hey, read this would you?".
Obvious Response (Score:4, Insightful)
Microsoft Marketing... (Score:3, Funny)
Oh, great! (Score:5, Funny)
(http://www.spoonix.org/blog/)
Yet ANOTHER feature Word has that OpenOffice doesn't. :(
Spam/Virus firewalls (Score:3, Interesting)
(http://slashdot.org/ | Last Journal: Wednesday April 28 2004, @12:34PM)
I'm sure the major spam firewalls will also have signatures in a relatively short period of time. If my email spam/virus firewall will stop this I'm fine.
For the home user it is a bit more of an issue. At the same time most people use Yahoo, MSN, Google or some other account that has active scanner that I'm sure will be able to block these in the short run...if not by analyzing the file by analyzing the subject line. Heck, chances are it'll look like spam to my firewall won't let it thru to begin with.
I do wish MS would put out the technical details of this exploit. It sounds like some sort of a buffer overflow. Something tells me it is a graphic insert of some sort, but who knows.
This aughta make FINALS more interesting... (Score:5, Funny)
(http://slashdot.org/)
My final project for the semester is attached as a Word document. If you have any problems reading it, please let me know. Me and everyone else in your address book.
Don't have to worry about grading it. By the time you read this, I will have used the root-kit to grade it myself.
Nice porn, by the way! You dog! We'll make this our little secret.
love,
toodles
I advise the same thing (Score:3, Funny)
(http://slashdot.org/)
ODT works well... hell, for that matter RTF works well enough for most people.
Fair is fair... (Score:3, Interesting)
(Last Journal: Friday May 18, @11:07AM)
Ya, sure, MS is the biggest target, so gets more hacker attention. Just the same, being king of the hill is not easy, and F/OSS software makers should do their best to simply keep doing things well, rather than doing them 'just like MS does' as its not working out so good for Redmond today.
Do everything that 80+% of users want, do it very well, and let the Excel gurus and desktop publishing companies do the things for those other 12% or so. That's the biggest bang for buck right there. That 12% might be the biggest spenders, but they also don't care about the cost, or don't want to retrain or convert etc. ad nauseum.
Exercise caution... (Score:5, Funny)
Error in article and MS link (Score:3, Informative)
(http://irc.macintosh.efnet.com/ | Last Journal: Sunday July 04 2004, @07:33PM)
There is no 'Microsoft Word 2004 v. X for Mac'
we're all going to die.... (Score:5, Funny)
If you stick with something long enough, (Score:3, Funny)
This is bad enough... (Score:3, Informative)
Re:SLASH! KNOCK OFF THE FUD SUBMISSIONS! (Score:3, Interesting)
(http://www.aperte.nl/ | Last Journal: Monday July 07 2003, @05:11AM)
They actually did say that, but you could claim the slashdot post was misquoted: "Recommendation: Do not open or save Word files that you receive from un-trusted or that are received unexpected from trusted sources. This vulnerability could be exploited when a user opens a file."
I know this is slashdot, but RTFA.