Third Microsoft Word Code Execution Exploit Posted

gregleimbeck writes "Exploit code for a third, unpatched vulnerability in Microsoft Word has been posted on the Internet, adding to the software maker's struggles to keep up with gaping holes in its popular word processing program. The attack code, available at Milw0rm.com, contains sample Word documents that have been rigged to launch code execution exploits when the file is opened."

Thanks for the proof

[Anonymous Coward]

I always suspected that Microsoft Word was Turing-complete.

Re:Thanks for the proof

[spellraiser]

No, that's Emacs. MS Word is a pushdown automaton at best.

Why do they have to make it hard

[skelator2821]

Format the Page the way it was meant to be SIMPLE! I mean its JUST WORDS put together why the need for Super Secret imbedded code? Word Perfect did this with precision .

Re:

[Acuram]

I can tell you've never used any of the VBA in Word. Executable code + DOM = $$

Re:

[Shados]

There's simply no money to be made in a simple office suite. Too many people who use basic office features will either use open office, or downright crack MS Office. Even companies.

The ones that will actualy shell out for Office are high end corporate customers. And beleive it or not, these features are very useful when you get to that point.

Re:

[Firehed]

I'm sure you're right about corporate, but considering how many Firefox users I know (that's to say, those that might consider alternatives to Microsoft), I'm the only one of them that's ever used OpenOffice. And I'm sure that none of them would have had the computer knowledge to crack Office (you know, just find any of a hundred thousand torrents of it).

Nope, most people I know that need nothing more than a basic office suite still use - and purchase - MS Office. Mind you, they'll typically end up with t

Re:

[Shados]

I see. Almost everyone i know using Office has a cracked copy or another. Usualy because Office does a lot less check, and usualy a simple copied CD from work is all you need. An incredible amount of computers come preloaded with illegal office (thats what my parents are using >.> ).

And well, the educational version of Office's price is so freagin low, it might as well be piracy (depending on your take as to the legitimacy of such pre-sale restriction on software usage, not to be confused with post-sa

This appears to affect OpenOffice 2.0.4?

[Rupan]

I tried to open the PoC with OpenOffice 2.0.4 and it crashed. Can someone confirm?

ooffice2 12122006-djtest.doc /usr/lib/openoffice/program/soffice: line 236: 12793 Segmentation fault "$sd_prog/$sd_binary" "$@"

This may not be a code execution bug; I'll try to trace it with gdb to see what happens.

Re:

[phunster]

It crashed OO 2.1 here

Re:This appears to affect OpenOffice 2.0.4?

[Rupan]

The gdb backtrace shows that the crash occurs in SwIoSystem::IsFileFilter (). EIP may not have been overwritten; the value points into what appears to be a valid function (i.e. not the stack or heap):

eip 0xb7286b4d 0xb7286b4d osl_getVolumeInformation+4487

Of course, this is probably because the exploit was designed to crash MS Word in the first place, not execute arbitrary code.

Re:

[QuantumG]

Doesn't really match up with this stack trace though does it?

Fatal exception: Signal 6
Stack: /usr/lib/openoffice/program/libuno_sal.so.3[0xb754 651f] /usr/lib/openoffice/program/libuno_sal.so.3[0xb754 683f] /usr/lib/openoffice/program/libuno_sal.so.3[0xb754 68dd]
[0xffffe420] /lib/tls/i686/cmov/libc.so.6(abort+0xe9)[0xb6f7a2b 9] /usr/lib/openoffice/program/libvcl680li.so[0xb7f5d a0b] /usr/lib/openoffice/program/libvcl680li.so(_ZN11Ap plication5AbortERK6String+0x17)[0xb7dbbf53] /usr/lib/openoffice/program/sof

Re:

[Rupan]

Interesting that you get a different result than I did. Here's a full trace of what I get:

http://rafb.net/paste/results/Jki6Ds85.html [rafb.net]

Re:

[QuantumG]

yup, I think that indicates it is a corrupt stack.. anyways, maybe some openoffice developers would like to know about this, if they don't already.

Re:

[droopycom]

Dont worry!
Dont you know that OpenOffice.org use Slashdot as a bug tracking system ??

Re:

[QuantumG]

I wouldn't wanna take enjoyment away from the people who find it fun to work on OpenOffice.

Re:This appears to affect OpenOffice 2.0.4?

[Rupan]

This is actually quite scary considering the size of Office documents. Store the executable code embedded in the metadata where user-supplied text would normally exist, using a nop slide of several kilobytes at the start. You have at least 26 kilobytes after all... imagine what could be done with 10k of executable code.

Re:This appears to affect OpenOffice 2.0.4?

[Gothmolly]

...imagine what could be done with 10k of executable code

Run Visicalc?

Re:

[dysfunct]

Can confirm at least freezing (no segfault yet) on OOo 2.0.3 on FreeBSD

Re:

[TheLink]

Whoopee OpenOffice is getting more and more compatible with MS Office by the day... ;)

But as long as people write most of their complex stuff in C or C++ this will keep happening.

People should switch to programming languages and frameworks that just won't run "arbitrary code of an attacker's choice" when something exceptional occurs.

After all these decades aren't there any easy to learn, safe and fast programming languages?

Re:

[ceoyoyo]

Pick any two. Well, no, pick either of the last two. You might get the first one as a bonus.

Re:

[TigerNut]

You can't fault the programming language. The problem is in the application if it doesn't check buffer size against how much data is being read; it's in the OS if the problem is occurring when the application does a system call of some sort and is compromised in the process.

However... it looks like there are Oo.org users digging into that side of the problem. Probably they'll have an accurate synopsis of the failure mechanism and a patch on the way in a few days. Unfortunately we can't say the same (with th

Re:

[TheLink]

Uh if that happens then the language used is obviously unsafe.

Next you'll be telling me it's not the fault of a computer system (O/S + hardware) if user A's processes can change the memory contents of user B's processes, and it's actually a problem in the application... Who wants to do cooperative multitasking and memory management nowadays?

Why should potentially arbitrary code be executed because a program tries to put data somewhere it won't fit? Sure there should be an error and things could go wrong (e.

C++

[Z34107]

Uh if that happens then the language used is obviously unsafe.

The language isn't "unsafe" - it just lets you do some very, very nifty stuff that noobtard programmers are better off leaving alone.

C++ has perfectly "safe" features - the Standard Template Library has container classes like strings and vectors that won't overflow no matter how careless you are.

For those who insist on going down to the byte level and concatenating their strings themselves, Microsoft included "safe" versions of these functions in Visual Studio 2005, and will compile with warnings if you use the dangerous, buffer-overrun-producing variants.

Why should potentially arbitrary code be executed because a program tries to put data somewhere it won't fit?

Because a hacker's input and a programmer's overconfidence in his manual input validation (or lack thereof) put the hacker's code over the program itself. It fit just fine where the still-running program used to be.

This can happen in any language - C++ programmers are simply notoriously bad at input validation.

Re:

[Z34107]

People should switch to programming languages and frameworks that just won't run "arbitrary code of an attacker's choice" when something exceptional occurs.

No matter how many different levels of indirection you have, eventually your code turns into instructions and raw bytes that get crunched by the CPU.

All that changing to a slower and inferior (but easier to program!) language does is add another point of weakness: you can exploit program code or the framework code.

[goofymetaphor]Languages like Jav

Re:

[TheLink]

Sure, there'll always be a place for unsafe languages but most programmers shouldn't be using C++ (or C) - there's plenty of evidence that they obviously don't know how to write safe C++. Just look at Bugtraq every day.

As for the raw bytes, fine for my code to get turned into instructions, but not fine for an attacker's arbitrary _data_ to somehow being treated as raw instructions.

Why is it _still_ so common for function parameters/data to be pushed onto stacks that are also used for program counters (retur

Re:

[Z34107]

Why is it _still_ so common for function parameters/data to be pushed onto stacks that are also used for program counters (return addresses)? It's a stupid idea for modern computers - bad hygiene (poorly controlled mixing of code and data).

First of all, the program counter (or instruction pointer) is the register where the address of the next instruction is stored. The return address is where your program was before it called your function.

Unless you write your program in one giant function, you will

Re:

[TheLink]

I guess I wasn't clear, but I was saying apps can have two stacks, one stack for return addresses and one for parameters. Even if you clobber the parameter stack, you won't clobber the return address stack without the CPU detecting it automatically.

Why I said one stack for program counters: In loose terms, for a subroutine call the cpu pushes the value of the program counter onto the stack, and then changes the program counter to the new address. The return command just pops the program counter off the stac

Re:

[Fred_A]

KWord (1.5.2) opens it as well. Looks empty here too.

Affect on Macs?

[goombah99]

Someof these bugs can penetrate macs, but is there an actual exploit the pentration on macs? For just one or all three?

Are these fully macro virsues or are these actual binary executables being injected?

If we have binary executables being injected by some sort of buffer overrun, then I wonder what happen on intel macs. Does the exploit inject i86 code or ppc code. Does Rosetta run the PPC injection or does the i86 injection run on it's own.

Pointers in documents?

[goombah99]

Microsoft Word malformed pointer vulnerability

Overview

A vulnerability in Microsoft Word could allow an attacker to compromise a vulnerable system.

I. Description

Data used by Microsoft Word to construct a destination address for a memory copy routine is embedded within a Word document itself. If an attacker constructs a Word document with a specially crafted value used to build this destination address, then that attacker may be able to overwrite arbitrary memory. An attacker could trigger this vulner

Re:

[corsec67]

The Word document is similar to a core dump of Word.exe.

Re:

[NadNad]

Rosetta only kicks in when a binary is started. Once a binary is running, it's stuck in whatever CPU mode it began...an intel-native executable cannot load a ppc shared-library module at all. So need to have a universal-binary exploit if one wants to hit both ppc and i386.

Ad on site

[Joe The Dragon]

there is add for TechNet Security Center on that page
http://www.microsoft.com/technet/security/default. mspx [microsoft.com]

Its a feature

[Lithdren]

Fairly alarming that a simple document meant to basically contain text, can launch code on an OS.

How long before someone turns this into an actual feature? Open an attachment in an Email, and launch an app to install something on the machine imbedded in the email itself? I could almost see this as usefull in a business atmosphere.

Just dont sign me up to work in their IT department. Oh god the horror that could (would) cause.

Re:

[geekoid]

"How long before someone turns this into an actual feature?"

About 12 years ago.

Re:

[SpaceLifeForm]

I'm pretty sure these exploitable holes weren't
stable until 98se.

Re:

[thewils]

Fairly alarming that a simple document meant to basically contain text, can launch code on an OS.

Certainly is.
Brought to you by the company that allows embedding [microsoft.com] URLs in digital media.

Re:

[flyingfsck]

MS Outlook has had that feature since day one.

Kinda limits Word's functionality, dontcha think?

[kbob88]

Microsoft suggests that users "do not open or save Word files,"

I really like this quote! That kind of limits the functionality of a word processor if you can't open or save files, right?

What exactly does Microsoft suggest that I do with Word files? Besides using them to fragment my hard-disk? Maybe I can burn them to keep warm in the winter... um, no.

Or perhaps I'll just use Word to create and save HTML files!!

Re:

[Shados]

Read them straight off the hard disk with your bare eyes. Obviously.

who downloads attachments from unknowns anyway

[ZahnRosen]

This goes under the category of basic internet security. Don't open files from people you don't know. And if you do get a wierd file from someone you don't know stop and think for 10 seconds about it before you open it. Or, buy a mac.

Re:

[Beryllium Sphere(tm)]

Network World reports that the exploit is being used in targeted attacks, for which the source and subject line could be made to appear plausible. If the spoofed From line is one of your coworkers's addresses, and the subject is something of current interest in the company, it would be easy to get fooled.

How will buying a Mac help unless the team that coding Office for the Mac was much more security-conscious than the team that coded Office for Windows? The one thing that Mac has going for it is a good impl

Re:

[TheLink]

Uh, a dangerous file is still a dangerous file whether it comes from a stranger or someone you know. It's not like you can only catch diseases from strangers ;).

Macs are not more secure by design, so if everyone bought a mac, their computers would be worm infested spam spreading zombies in no time. If you are a Mac user and you want to be safe, stay a minority.

A safe way to open a suspicious file is to use a different pristine machine and reimage that machine after that. Virtual machines might be ok but the

Underneath the radar

[Vengeance_au]

Biggest problem with this sort of exploit, is it gets under the radar of people who actually know not to open executables etc that are sent to them - but a document? Unless they are aware of this emploit being "out there" people will recieve an email with "teh funny.doc", "invite to my birthday.doc" or "pics of brittany + paris.doc" and double click without thinking. Boom - instant zombie machine.

So all those family, friends and colleagues who you've (finally) trained not to open funny.exe or funny.scr a

Anyone remember milw0rm?

[__aaijsn7246]

http://en.wikipedia.org/wiki/Milw0rm [wikipedia.org]

milw0rm is a group of "hacktivists" best known for penetrating the computers of the Bhabha Atomic Research Centre (BARC) in Bombay, the primary nuclear research facility of India, on June 3, 1998. The attack generated heated debate on the security of information in a world prevalent with countries developing nuclear weapons, the ethics of "hacker activists" or "hacktivists," and the importance of advanced security measures in a modern world filled with teenagers willing and able to break into insecure international websites.

Re:

[Frosty Piss]

From the same Wikipedia article References section:

( www.milw0rm.com ) Security site ran by no former milw0rm members

My favorite word processor is immune

[davidwr]

Upside:

Familar user interface
Fast
Cheap
WYSIWYG

Downsides:

Replacing blocks of text with larger-sized blocks of text difficult to impossible.
Cut-and-paste is messy, literally.
No automated search.

My Word Processor [sbac.edu]

Re:

[SnarfQuest]

I've tried using that, but everyone always complained that my messages were corrupted and unreadable.

Goddamn it

[spellraiser]

From TFA:

"Data used by Microsoft Word to construct a destination address for a memory copy routine is embedded within a Word document itself. If an attacker constructs a Word document with a specially crafted value used to build this destination address, then that attacker may be able to overwrite arbitrary memory," the US-CERT warned.

So yet again it's a case of embedded code within a data file wreaking havoc. And as already been reported in comments here, this vulnerability also exists in OO.org.

Seeing this kind of thing always blows my mind. I would be greatly interested in hearing the rationale behind the decision to incorporate this feature. What the hell did they need that for?

Re:

[SpaceLifeForm]

So they can spy on the user. If the holes are there by design,
it would make sense there are other holes that have yet to
be discovered.

Re:

[Beryllium Sphere(tm)]

>Data used by Microsoft Word to construct a destination address for a memory copy routine

I can't wait to find out what this means. Every file format that creates data structures has "data used ... to construct a destination address", in an indirect sense.

Re:Goddamn it

[cascadingstylesheet]

>So yet again it's a case of embedded code within a data
>file wreaking havoc.
>...
>What the hell did they need that for?

I don't know about the new XML-ish version, but the old DOC
"format" was basically a Word memory dump. Not
quite as surprising when you think of it that way ...

Re:

[fostware]

OLE, DDE, etc...

People's pretty WordArt wouldn't work otherwise

Wait until you see how Publisher files are constructed - AFAICR each text box is a mini Publisher OLE object and let's not start on the picture boxes

I feel sick just thinking about it :S

I smell a rat

[gx5000]

Why all these exploits now with applications that have been around for over seven years ??!!
I mean if the latest version of word had a newly discovered bug, ok...move along, nothing to see here...
But an exploit that can affect all three version of word (2000, 2002,2003)??!!
Oh sorry, up to three now aren't we....in the same month....

I smell a rat...
And I'll notice the Tail when Word 2007 is declared void of these exploits..
Call me paranoid, but at least just call me...
I'm glad I no longer work as MS Phone Su

What if Word is the default email editor...

[Panaqqa]

as is the case on many machines out there.

I wonder if a properly crafted email could launch this one simply by clicking "Reply". Insights, anyone?

abi-word, ooo

[Lehk228]

abiword opens it as a blank file with a funny page dimension

Openoffice complains about not enough memory to open the file and doesn't even try to open it

Well, Symantec Antivirus caught it....

[kenblakely]

....and quarantined the .doc demonstration file. Not much of a zero-day exploit....

Does NX work around the bug?

[Myria]

Does NX cause Word to crash instead of run a worm with this exploit?

Melissa

Unbelievable

[AftanGustur]

"Data used by Microsoft Word to construct a destination address for a memory copy routine is embedded within a Word document itself."

If this is a standard practice at Microsoft, I'm beginning to understand why they are so relunctant to publish their protocols and standards.

language clue: ubiquitous != popular (n/t)

[toby]

no/t

Re:

[reaktor]

Heck yeah. OOo is nice, esp the new version. My family actually prefers it because it is not overly bloated and annoying like MS Office.

Re:

[that this is not und]

To the contrary, OpenOffice requires significantly more hardware resources to run than usable versions of MS Office. I have run Office 2000 in a usable state on an old '486 laptop with 40M of ram.

Open Office is unusable on such a machine. It's probably 'coded better' with C++ and what-not, creating bloated structures and resource piggishness. There is probably an old version of StarOffice that would run fine on the '486, but the notion that OpenOffice is magically 'less of a load on the machine' is just

Re:

[ThePhilips]

It's probably 'coded better' with C++ and what-not, creating bloated structures and resource piggishness.

It is not. M$Office is much more optimized (by all means) product. StarOffice itself was based on previous work - so the code base was already split even before Sun acquisition. And then add development of Sun and OO.o which do not perfectly fit each other.

And Sun's following development effort which threw in Java to the backet didn't help either.

The result is buggy bloated mess. Don't argue w

Re:

[newt0311]

OOo is nice because it is free. It is however the most bloated piece of software that I have seen in terms of resource consumption including MS products. True non-bloatedness comes with emacs+LaTeX. Now there are things which do not take up any significant resources (until they are done reading my 33K startup .emacs file and increasing buffer and undo limits to ungodly levels that is.).

Re:

[SnowZero]

I don't have particularly large limits (I think), but it always bothered me that every copy of xemacs would have 10 MB of resident memory. It bothered me a lot more when my computer only had 32 MB of memory (Linux drove me to upgrade to 64 MB pretty quickly after switching from Windows). Now, of course, 10 MB is practically nothing compared to what the Mozilla applications or Open Office use...

Re:

[makomk]

Of course, having looked at the Emacs source code, I don't think it can even allocate more than 16MB or so of Lisp storage, which limits how bloated things can get. (The pointers into the Lisp storage area all seem to be 24-bit...)

Re:

[makomk]

They did it via a bitfield and typecasting (or equivalent use of masks and bitshifts) - the other 8 bits are used for something else. On modern 32-bit machines like x86, it's more like an offset into an allocated Lisp storage area than a true pointer, for obvious reasons, but originally it was just an ordinary pointer stored in 24 bits...

Re:

[the_womble]

Its not that bad. I do not have MS Office for comparision, but it works nicely on a reasonably modern machine, and does not compare doo badly with other apps. Actual numbers:

PID PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
4895 15 0 139m 68m 22m S 1.7 7.0 2:59.20 firefox-bin
4883 15 0 78020 52m 21m S 0.0 5.3 0:28.51 konqueror
4927 15 0 106m

Re:

[mspohr]

Hello? OO keeps getting bashed for being bloated but I did some tests a few days ago (when the same trolls were out in another thread) and both OO and MS Office each use about the same amount of memory and this is a very reasonable size on any machine that is less than 5 years old.

In short, the office suite (wp, spreadsheet, presentation) takes about 60 meg for OO.org and 65 meg for MS Office (v10) with no documents open. This is a very reasonable amount of memory on any computer that isn't ready for the

Re:Wait, who still uses M$ 0ffice?

[phrasebook]

I tried switching my dad to Open Office when we couldn't find the MS Office CD - he immediately complained that the small fonts he was using in his spreadsheets (less than 8 points) didn't render nicely in OO compared to Excel, so he went and bought a copy of Office 2003.

Little things like that count for a lot. OO might be more secure than MS Office, but it's terrible quality software in user-visible ways (i.e. it's ugly, slow and bloated). These things count to people. Little problems can't just be overlooked because it's free. My dad could pick it apart within minutes, and he doesn't normally care about software at all. He didn't care about paying for Office either, in fact he didn't think twice about it.

That's why. Nothing to do with TCO, Microsoft being evil, security, monopoly or anything else. OpenOffice just isn't very good in the ways that count to regular users.

Not only that...

[bogaboga]

I totally agree with your contribution. But in my case, my dad found OpenOffice to be just ugly! "The icons are too big," he complained. Even after making them "smaller" the whole interface remained "ugly."

• Then we have the long time it takes to load.

• Heck even saving a simple document tales a long time.

• The Gnome or GTK file dialog did not help matters at all. He found that he could not paste an HTTP link into this file dialog to have OpenOffice open the referenced file. In other words a file to be opened

Re:

[twistedcubic]

I think one drawback is that many people who use free software in their professional lives use tools that are far superior to MS Word for writing documents, and these people never test OO.org and thus never give positive feedback to OO.org developers. When you know for certain that MS Word is useless for your endeavors, any app attempting to replace it will be considered really useless. I think people are mistaken when they claim OO.org will be the magic bullet that thrusts free software into the mainstre

Re:

[Z34107]

Its help system seemed incomplete! Then help to complete it! [...] Your {Dad's} complaints ring hollow.

I wonder what would happen if Microsoft expected it's users to write their own help files.

Especially when a user who needs the help file will not be able to write it. (If he already knew what he was looking for, why would he be looking it up in help to begin with?)

Your Dad needs to choose between paying for MS Office and all that comes with it or accepting the free OpenOffice without impotent co

Re:Wait, who still uses M$ 0ffice?

[mcrbids]

If you knew enough to download it for him you should have known enough to turn on antialiasing for font sizes 8 and lower in the options menu.

And if you knew end-users enough to comment on them, you should have known enough that end-users won't know how to turn this on.

See, software shouldn't "get in the way" of what you're trying to do.

Re:

[smoker2]

If you knew enough to download it for him you should have known enough to turn on antialiasing for font sizes 8 and lower in the options menu.
And if you knew end-users enough to comment on them, you should have known enough that end-users won't know how to turn this on.
See, software shouldn't "get in the way" of what you're trying to do.

Oh dear, looks like this Microsoft Word Code Execution Exploit just "got in the way". So the end user is still at risk, is out of pocket by $cost_of_office, and expose

Re:

[TheLink]

Uh what makes you think OpenOffice isn't as bug ridden if not more so? AFAIK it crashes often enough that I _know_ it is bug ridden AND _will_ also have exploitable bugs.

In fact, people say some of those demo docs crash OpenOffice too.

Re:

[westlake]

In order for me to pay $400, I expect it have significantly more features that I'll use.

Who the hell pays retail list for a legit copy of Office?

Re:Wait, who still uses M$ 0ffice?

[Vengeance_au]

We use both Microsoft Office and OpenOffice in our company. OO is for all internal documents, and Microsoft Office is used for external client work - purely for interoperability with corporate / government clients. Open Office can save into Microsoft Office format, but there are invariably subtle differences in the final layout - and that is just plain unacceptable.

In the past 12 months a few clients have started using OO and we now share OO documents with them - but they are by far the minority. Hopefully the new "Open" format Microsoft is coming out with will break the barrier down, and allow pixel-perfect interoperability, but until then it is very difficult to operate in a corperate world without the "de-facto" Microsoft Office standard.

Re:

[flyingfsck]

Hmm, how about PDF for external comms?

Re:Wait, who still uses M$ 0ffice?

[SnowZero]

If you want more of your clients to change to OO, just run "strings" on their .doc files and email them the parts that came from other documents. That should be enough to get them to change their minds about it.

(For the uninitiated, As you edit a document in MS Word, it picks up bits of other documents you have open at the time or even previously opened. This is because it doesn't clear memory before using it, and the fast-save file format is really more a memory dump. This may have been fixed in the latest version of MS Word; I certainly hope so...)

Even OOo v2 doesn't interoperate with itself! wtf?

[KWTm]

Good luck trying to get pixel-perfect interoperability between MS Word and OOo. I can't even get OOo to interoperate with itself.

I was using OOo on my Linux (Kubuntu) system to make a Christmas card, embedding a picture and positioning the text so that I can print it out and then fold it into a Christmas card. But I don't have a printer hooked up, so I had to move it to OOo on my wife's Windows (2000) box to print it. But the text had mysteriously resized itself so that it no longer fit properly and spil

Re:Even OOo v2 doesn't interoperate with itself! w

[ThePhilips]

+100. I've been there too. [slashdot.org] Forget about simultaneously editing document on more than two computers. (In fact same goes for M$O - though overall compatibility/portability is much better.)

I would love it just to work, but at moment PDF export is only way to have portable (in read-only sense) document.

Re:Wait, who still uses M$ 0ffice?

[dc29A]

But seriously, why would anyone use anything M$ when there are non-stop bugs and security holes. Open Office / Google Writely anyone?

(Insert random application name here) with vulnerability running as root is the problem. MS Word hole only amplifies it because it's widely used. But the problem is that everyone and their dog is running Windows as administrator.

Re:

[Beryllium Sphere(tm)]

Yes, that's happening and it's insane, but the only gain from running as a less-privileged user would be to force an attacker to find or use a Windows privilege escalation vulnerability [princeton.edu].

Re:

[towaz]

I don't think they is any shortage of them right now. Due to the xmas season this could not have come at a worse time, I'm already seeing viral emails being passed at a stupid rate.

Re:

[quazee]

While you definitely should not rely on extension filtering, if a Word document has a completely random extension, it will not open with Word by default. However, since Word classic .doc format is based on ActiveDocument and OLE Compound Storage format, you can embed Word content into quite a lot of files.
So, opening any OLE Compound Document by an application supporting Active Document (including Word itself) could be dangerous.

However, double-clicking on document.qwer is actually harmless, unless you c

Re:

[sqlrob]

Some things aren't so harmless. .txt .rtf

I tested both of those with word docs, and word opened. RTF is fine, since that was default to Word anyway. TXT is defaulted to notepad.

Re:

[quazee]

Couldn't reproduce this with .txt - Notepad opens in my case (i'm using Word 2003).

Also, if you select something in Word and drag-and-drop it to a folder, a 'Scrap' file will be created with a hidden extension (.shs). This is one of the examples of ActiveDocument container dangers - .shs file may contain any ActiveDocument content.
Another way to exploit the ActiveDocument vector is to use Insert->Object...->Word Document command in PowerPoint, Excel, and even Wordpad :)

So, even explicitly openi

Re:

[makomk]

While you definitely should not rely on extension filtering, if a Word document has a completely random extension, it will not open with Word by default. However, since Word classic .doc format is based on ActiveDocument and OLE Compound Storage format, you can embed Word content into quite a lot of files.
So, opening any OLE Compound Document by an application supporting Active Document (including Word itself) could be dangerous.

However, double-clicking on document.qwer is actually harmless, unless yo

Re:

[MyLongNickName]

Who the fuck got this past whatever committee was reviewing design specs, and why haven't they been clubbed to death like a baby seal?

When the entire OS relies on the last three characters of a filename to handle filetypes, did nobody think this was a bad idea?

ROFL. Bad design? Sure. However, this concept dates so far back and is so entrenched that I don't see it going away any time in the next decade. So the "design specs" you are referring to are non-existent, or simply say "make it compatible with the wa

Re:

[dsci]

So the "design specs" you are referring to are non-existent, or simply say "make it compatible with the way the world has been doing things forever".

But the Unix world, which predates both Windows and MS-DOS, has NOT done it this way - EVER. This is the difference between an OS designed for true industrial use and one that is a bolt-on to a single user, mostly trusted environment system. Therefore, it IS a design problem. And it WILL be hard to fix.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:Another day, another misfeature.

[dsci]

And UNIX people know this, as it took decades to fix their OS.

Speaking specifically about using file extensions, I think 'decades' is a little strong.

From Wikipedia's FILE entry [wikipedia.org]:

The original version of file originated in Unix Research Version 4 in 1973 ... file's position-sensitive tests are normally implemented by matching various locations within the file against a textual database of magic numbers (see the Usage section). This differs from other simpler methods such as file extensions and schemes like MIME.

Even if you happen to believe that the real improvements to file were not made until System V, that was 1983...so not decadeS, but decade.

So no, not a troll and not revisionist. You make it sound like Unix was not usable until the 1990's.

Re:

[dsci]

File was introduced in 1973 and was markedly improved in 1983. That's 10 years or one decade. How does 2006 enter into this discussion?

Re:Third Microsoft Word Code Execution Exploit Pos

[__aaclcg7560]

I did. My brain went blue screen and shut down. My attorney will be in touch.

Re:

[LarsWestergren]

Aha, so you have found thee nam-shub of Enki. Please inform the cult of Asherah.

Re:

[Apocalypse111]

Behold, the dangers of Microsoft wetware.

Tagging

[shadowmas]

Why is there both a bugs and a Microsoft tag on this article? isn't it rather redundant having both tags?

Suddenly, up pops: Hackie

[Anonymous Coward]

"I see that you are trying to craft an exploit. Would you like me to assist?" <blink, blink>

Re:

[John Sokol]

Oh, sh*t I love it. Someone needs to really implement this....