Forgot your password?
typodupeerror
Security Bug IT

Microsoft Issues Zero-Day Attack Alert For Word 483

Posted by kdawson
from the incoming dept.
0xbl00d writes "Eweek.com is reporting a new Microsoft Word zero-day attack underway. Microsoft issued a security advisory to acknowledge the unpatched flaw, which affects Microsoft Word 2000, Microsoft Word 2002, Microsoft Office Word 2003, Microsoft Word Viewer 2003, Microsoft Word 2004 for Mac and Microsoft Word 2004 v. X for Mac. The Microsoft Works 2004, 2005 and 2006 suites are also affected because they include Microsoft Word. Simply opening a word document will launch the exploit. There are no pre-patch workarounds or anti-virus signatures available. Microsoft suggests that users 'not open or save Word files,' even from trusted sources."
This discussion has been archived. No new comments can be posted.

Microsoft Issues Zero-Day Attack Alert For Word

Comments Filter:
  • by sylvainsf (1020527) on Tuesday December 05, 2006 @10:53PM (#17123564)
    That the business world just stop for a few minutes(days, weeks) while they fix this.
    • by Anonymous Coward on Tuesday December 05, 2006 @10:58PM (#17123614)
      • by Anonymous Coward on Tuesday December 05, 2006 @11:07PM (#17123728)

        Yes! Great idea! Just trust all of your internal documents to a random third party company with no privacy guarantees. But hey, at least they've made a vague "Do no evil" promise!!1!

        • Re: (Score:3, Insightful)

          by eugene_roux (76055)

          Yes! Great idea! Just trust all of your internal documents to a random third party company with no privacy guarantees.

          Yes, your Sarcasm is well placed. Yet another reason not to use Microsoft products!

          But hey, at least they've made a vague "Do no evil" promise!!1!

          Oh, you meant Google, not Microsoft! Ah, well, this -- at least -- is something you'll have to wait for hell to freeze over before you get from Microsoft...

          • Re: (Score:3, Funny)

            by ConceptJunkie (24823) *
            Microsoft has made no promise about not doing evil, and they've shown it on a daily basis for 15 years.

            Of course, I would actually be happier if Microsoft would make a promise to "Do no stupid."

      • by pdbaby (609052) on Wednesday December 06, 2006 @12:01AM (#17124286)
        Isn't it more likely the sales patter for Office 2007 will become of course, if you were using our latest version...?
        Not that I'm suggesting Microsoft engineered it, mind... but it might not be as bad for them as seems initially
      • Re: (Score:3, Funny)

        by Dekortage (697532)

        I met a college student last year who writes all of her papers in Adobe Photoshop. She just sets up 300dpi pages and types all the text into text boxes. That way she could make pretty photographic backgrounds. And there are NO security issues!

        I didn't realize it then, but she is obviously a genius.

    • by Anonymous Coward on Tuesday December 05, 2006 @11:03PM (#17123684)
      I wish Microsoft were a person. Then I could go up and kick that person in the nuts.
    • by PsychicX (866028) on Tuesday December 05, 2006 @11:49PM (#17124164)
      The slashot summary is deceptive (probably deliberately). From TFA:
      Do not open or save Word files that you receive from un-trusted sources or that you receive unexpectedly from trusted sources.
      The point is that there is a danger that a trojan on someone else's machine could start spreading infected Word files inside a corporation, or just amongst friends. Note furthermore:
      The vulnerability cannot be exploited automatically through e-mail. For an attack to be successful a user must open an attachment that is sent in an e-mail message.
      Users whose accounts are configured to have fewer user rights on the system could be less affected than users who operate with administrative user rights.
      It can't be triggered automatically, and limited accounts (like every Vista system) will be largely unaffected. (Because exploits will usually try to root the box or install something, both of which will be prevented.)

      Also observe that Office 2007 isn't affected. Obviously MS is doing something right in the next generation of their products.
      • by ewl1217 (922107) on Wednesday December 06, 2006 @12:01AM (#17124282)
        Also observe that Office 2007 isn't affected. Obviously MS is doing something right in the next generation of their products.
        You mean like not releasing them yet?
        • by cloricus (691063) on Wednesday December 06, 2006 @02:22AM (#17125258)
          Is the GP just an out right moron?

          (Serious non-flaming post ahead so don't mark me troll before at least reading!)

          Putting aside your Microsoft fanboy attitude of 'oh just buy the next version and all will be well!' lets look at this objectively. And for the sake of being kind I wont go into details of how painful this will be for business in general; Sticking to the simple points will do just find to point out how horrible this is.

          > Do not open or save Word files that you receive from un-trusted sources or that you receive unexpectedly from trusted sources.

          Now you sound new to the world of tech as you haven't been embittered against Microsoft so I'll give you a break on this one. End users have two types of authentication; 'This looks shiny' *click* and 'Oh I know this person' *click*. So in reality the summary is an effective warning and really if some one in a business gets a document saying AccountsNov06.doc who is to say it is expected or unexpected - some one sent you the accounts and a nice little social engineering spiel to lure you to the click. Yes boss, three bags full boss.

          > The vulnerability cannot be exploited automatically through e-mail. For an attack to be successful a user must open an attachment that is sent in an e-mail message.

          > It can't be triggered automatically, and limited accounts (like every Vista system) will be largely unaffected. (Because exploits will usually try to root the box or install something, both of which will be prevented.)

          See previous post about *clicky*. If you boss tells you to deal with AccountsNov06.doc then you deal with AccountsNov06.doc and that usually, if I'm not mistaken, involves opening it for a start. Also largely unaffected; what does that really mean? There will be a box come up saying 'Click me like you usually do as I get in the way of every simple task' because let me tell you as a system administrator even I started clicking them without thinking after two hours of testing Vista. Finally on this topic users who have limited accounts is a joke - even with your AD locking down almost all of the system most places still allow execution of applications and scripts which may have decent root kitting abilities that bypass user rights - only high schools and net cafes go the whole nine yards.

          And lastly you have the gem of saying Microsoft is great because their next product line isn't affected. I think the parent to this post addressed this point perfectly with the following:

          > You mean like not releasing them yet?

          Which points out the flaw in your argument very nicely. Still it is worth expanding for those unfamiliar with Office 2k7 in that a) it implements a new XML document format which has nothing to do with .doc so isn't affected and b) they have time to fix their .doc filter layer so this doesn't happen in the wild under 2k7 - in fact I'd almost wager a decent price that the current release of Office 2k7 floating around the MS offices has the flaw and if it doesn't I'd be raising questions that this was a stunt to force upgrades and kill off .doc faster.

          Either way before you mouth off at Slashdot consider the topic and its implications to users and business first; there are many real Slashdot exaggerations that are stabs at Microsoft and this isn't one of them. Some times it is apt to say that Microsoft really did drop the ball.
        • Here is a message we sent to customers. Links were added for posting on Slashdot:

          Everyone,

          Don't use Microsoft Word. Use Open Office instead. This advice remains effective until Microsoft releases a patch, and it is installed.

          Microsoft just issued a security advisory [microsoft.com] warning people not to open Microsoft Word documents unless they have the latest version of Microsoft Word, which was just released, and costs [microsoft.com] $329 for the upgrade, or $679 for the most powerful full version.

          On the security advisory we
      • by ergo98 (9391) on Wednesday December 06, 2006 @12:36AM (#17124588) Homepage Journal
        The Slashdot summary is deceptive (probably deliberately).

        It's probably closer to the mark than "receive unexpectedly". If someone in a corporation became infected, and they infect documents on a shared network location -- game over. Other users don't have to "receive" it via a classic-email virus, but rather they just have to go about their daily business. You touched on this yourself, and it is why this does basically mean "there be dragons" for all word files in corporations.
        It can't be triggered automatically, and limited accounts (like every Vista system) will be largely unaffected.

        Phew! Now that we know that the burgeoning community of Vista users will be "largely unaffected", we're safe! That comprises the set that downloaded and installed the RTM from MSDN, so at a minimum, around an installed base comparable to QNX.

        In any case, "largely unaffected" is more deceptive than the Slashdot summary (which came right from Cnet) -- the risk of compromises nowadays are seldom that they'll reconfigure your drivers or repartition your drive, thus requiring admin rights (when was the last time a virus was actually maliciously destructive in such a manner?), but rather that they'll compromise data integrity/security. If Bob is a normal user, but he's in HR and thus has rights to HR information, then so does an exploit running as Bob the unprivileged numbers-monkey.
      • by TheVoice900 (467327) <kamil&kamilkisiel,net> on Wednesday December 06, 2006 @12:37AM (#17124614) Homepage
        It's not really deceptive, I often get attachments from almost everyone I regularly correspond with without expecting them first. Am I supposed to now call or email everyone I know every time they send me something to confirm that they intended to?

        As for being hardly affected, it simply says LESS affected. What's to prevent the trojan from taking over your Outlook client and using it to send spam and propagate itself to everyone you know as well. Doesn't take root to do that, nor countless other things.
  • by filesiteguy (695431) <kai@perfectreign.com> on Tuesday December 05, 2006 @10:54PM (#17123574) Homepage
    If I can't even open my friends' documents then what am I - as a manager to do?

    Oh, wait - I don't do anything anyway and my life revolves around Excel.

    Nevermind.

  • by Feyr (449684)
    not open .doc ? are they fucking insane? 90% of the business is just that messing with .doc

    guess we know who to thanks when productivity drops to zero in the coming days!
  • Lets see... (Score:5, Funny)

    by jlarocco (851450) on Tuesday December 05, 2006 @10:56PM (#17123604) Homepage

    So let me get this straight... For the time being the only safe Word files are new files that other people don't need to open?

    But hey, you saved a ton of money on retraining costs.

  • what about OO.org? (Score:5, Insightful)

    by no reason to be here (218628) on Tuesday December 05, 2006 @10:58PM (#17123618) Homepage
    Could the problem be avoided by opening the any .doc files with OO.org? i'm assuming that the exploit will only work if the file is actually opened with word, so it would stand to reason that opening it with some other application would be safe. can anyone tell me why i'm wrong?
    • Re: (Score:3, Interesting)

      by OglinTatas (710589)
      You sir, are spot on. Back when macro viruses were rampant, when word 6 would unexpectedly corrupt word documents and make them "unreadable," it was wordperfect to the rescue. The file conversion would strip any macro viruses, and would ignore formatting that it couldn't understand, compromised/corrupted files could be rescued, (and re-saved in word 6 format to begin the process again, because officially we are a microsoft only shop)
  • Good Advice (Score:4, Funny)

    by antonyb (913324) on Tuesday December 05, 2006 @10:58PM (#17123620)

    Microsoft suggests that users 'not open or save Word files,' even from trusted sources."

    Good general advice, really. They should put that on the Office packaging, like on a packet of cigarettes.

    ant

  • A Smarter Choice (Score:2, Insightful)

    by Anonymous Coward

    Microsoft suggests that users 'not open or save Word files,' even from trusted sources.
    Unless you're using OpenOffice [openoffice.org].
  • by Tsu Dho Nimh (663417) <abacaxi.hotmail@com> on Tuesday December 05, 2006 @11:00PM (#17123640)
    In the meantime, download and use OpenOffice [openoffice.org]
  • by Aardpig (622459) on Tuesday December 05, 2006 @11:00PM (#17123648)
    So, Microsoft are basically telling us to stop using Word? Sounds like great advice to me -- cheers, Bill!
  • First, an exploit in IE causes MS to tell us to type in links manually rather than click them.

    Now MS advises everyone not to use their flagship bloatware? There simply aren't enough R's, O's, F's and L's in the fabric of space-time to express how funny this is.

    Or they're just scraping the bottom of the barrel for ideas on how to get people to upgrade to Vista and Office 2007.

  • Seriously, please be a joke. This shit is going to be hell to try and explain to everyone at work, and then un-explain later, without totally fucking up all the investment in getting them to not infect their machines with all manner of crap. :(
  • zero day (Score:2, Interesting)

    by Anonymous Coward
    What the heck does zero-day mean?
    • Re: (Score:3, Informative)

      by kcbanner (929309)
      It means an exploit there is no patch for! Its the zeroth day that they know about it :P
    • Re:zero day (Score:4, Informative)

      by DebateG (1001165) on Tuesday December 05, 2006 @11:18PM (#17123830)
      Zero day [wikipedia.org]: At the time the details of the exploit are published (or the patch is released), there already is an active exploit being circulated. I guess if you don't know exactly when the exploit was released it's a technically "less than or equal to zero-day" exploit, but that doesn't sound as sexy.
    • Re:zero day (Score:5, Informative)

      by LarsG (31008) on Tuesday December 05, 2006 @11:19PM (#17123836) Journal
      It means that there is a working exploit out there in the wild, which is using a vulnerability that was previously unknown to the security community / the software maker. That is, there was zero days warning.
    • Re: (Score:3, Informative)

      by nine-times (778537)
      A simple search [wikipedia.org] would turn up the answer. It basically means there's no warning, and no time to prepare. The exploit's existence is made public the same day as the flaw's existence.
  • Misleading summary (Score:4, Informative)

    by 2cv (651583) on Tuesday December 05, 2006 @11:04PM (#17123696)
    The Security Advisory doesn't say not to open any DOC files. It says:
    Do not open or save Word files that you receive from un-trusted or that are received unexpected from trusted sources. This vulnerability could be exploited when a user opens a file.
    I wish sometimes I could mod article summaries...

    2cv
    • EWeek is pretty good about reportage and editing. If their article says (and it does):
      There are no pre-patch workarounds available. Microsoft suggests that users "not open or save Word files," even from trusted sources.
      Then I believe they got that answer when they asked. Perhaps their phone reps are more forthright than their website. Imagine that.

      Not opening Word files seems like a good idea. Microsoft IP's in them, and that's icky.

  • Hey, I like to bash Microsoft as much as the next guy, but there is a pretty bad rewrite going on here.

    Microsoft DOES NOT suggest that

    users 'not open or save Word files,' even from trusted sources."

    as stated in the summary.

    What they do say is :

    Do not open or save Word files that you receive from un-trusted or that are received unexpected from trusted sources.

    That is nothing more than standard precautions that one should take anyway. If you aren't expecting an attachment, don't open it. If you

  • by Absolut187 (816431) on Tuesday December 05, 2006 @11:05PM (#17123708) Homepage

    Microsoft suggests that users 'not open or save Word files,' even from trusted sources."
    [pause] You know what - Just to be safe, maybe you just shouldn't boot up any Windows PCs for a few days. And if you do: For god's sake, don't plug in a network cable.
  • Blurb slightly-FUD (Score:3, Informative)

    by Repton (60818) on Tuesday December 05, 2006 @11:06PM (#17123722) Homepage

    The actual quote from the Microsoft page is:

    Do not open or save Word files that you receive from un-trusted sources or that you receive unexpectedly from trusted sources. This vulnerability could be exploited when a user opens a specially crafted Word file.

    If you send an email to Fred saying "Can you send me xxxx", and Fred replies, saying "Here it is", you can probably safely open the attachment. You should just exercise caution when Fred sends you an email out of the blue saying "Hey, read this would you?".

    • by Elixon (832904)
      > If you send an email to Fred saying "Can you send me xxxx", and Fred replies, saying "Here it is",
      > you can probably safely open the attachment. You should just exercise caution when Fred sends you
      > an email out of the blue saying "Hey, read this would you?".

      Should Fred open my message "Can you send me xxxx" if it was not preceded by Fred's message "Can you send me your 'Can you send me xxxx'"?

      Or should I pick up the phone to inform the Fred that I'm sending the "Can you send me xxxx" message to
    • Re: (Score:3, Funny)

      by sharkey (16670)
      But, I send you this file to ask you advice!
    • FUD police (Score:3, Insightful)

      by symbolset (646467)

      The quote in the summary was from TFA and was correct.

      Your guidance is wrong. "Probably" means more likely than not. According to Microsoft's own statistics Fred's XP workstation is "probably" a rooted, keylogging spambot zombie. His files safe? Get real.

      On the other hand, your machine is "probably" exploited already too, so why not just give up? Everyone else has. It's not like anybody wants to read your boring data anyway, right? Besides, what are we to do? If we can't use Office, we might as well

  • > 'not open or save Word files,'
    Do they call it "The Evolution of Microsoft Office"?

    > To help you understand more about the merits of Microsoft Office 2003, we are preparing the new series of FREE training courses for you.
    TRAINING COURSE - RULE#1: Don't open or save Word files!

    > It's time for an evolution! Act now to take the Microsoft Office 2003 Training Courses and get rid of your current backward office!
    TRAINING COURSE - RULE#2: Since you cannot open/save your documents... get rid of your curre
  • Obvious Response (Score:4, Insightful)

    by cheese-cube (910830) <cheese.cube@gmail.com> on Tuesday December 05, 2006 @11:16PM (#17123808) Homepage
    And thus begins the torrent of Microsoft mocking posts. Get your mod-points out and set them to +5 Funny because the laughs are only just beginning. *sigh*
  • by SirKron (112214) <<brian.kronberg> <at> <gmail.com>> on Tuesday December 05, 2006 @11:17PM (#17123816)
    This is a new spin to upgrade to their new Office 2007 product line.
  • I'm seeing this as a HUGE opportunity to start the text document revolution. You can get really creative with characters and create some really romantic notes with text. Chicks would surely go nuts for a guy who could create character-based graphics with text!
  • Oh, great! (Score:5, Funny)

    by Marsala (4168) on Tuesday December 05, 2006 @11:23PM (#17123910) Homepage

    Yet ANOTHER feature Word has that OpenOffice doesn't. :(

  • Spam/Virus firewalls (Score:3, Interesting)

    by Twillerror (536681) on Tuesday December 05, 2006 @11:24PM (#17123920) Homepage Journal
    I'm not to worried about this because most users are aware of attachment exploits like this.

    I'm sure the major spam firewalls will also have signatures in a relatively short period of time. If my email spam/virus firewall will stop this I'm fine.

    For the home user it is a bit more of an issue. At the same time most people use Yahoo, MSN, Google or some other account that has active scanner that I'm sure will be able to block these in the short run...if not by analyzing the file by analyzing the subject line. Heck, chances are it'll look like spam to my firewall won't let it thru to begin with.

    I do wish MS would put out the technical details of this exploit. It sounds like some sort of a buffer overflow. Something tells me it is a graphic insert of some sort, but who knows.

    • I'm sure the major spam firewalls will also have signatures in a relatively short period of time. If my email spam/virus firewall will stop this I'm fine.

      And what do you do about the exploits already mailed to you, before the firewall suppliers figure out signatures and put them in place?

      And if they don't successfully design signatures to catch ALL exploits of the flaw, what do you do about later stuff that exploits the flaw differently, and arrives in the window before signatures for THAT exploit are devel
  • by surfcow (169572) on Tuesday December 05, 2006 @11:42PM (#17124098) Homepage
    Dear Professor,

    My final project for the semester is attached as a Word document. If you have any problems reading it, please let me know. Me and everyone else in your address book.

    Don't have to worry about grading it. By the time you read this, I will have used the root-kit to grade it myself.

    Nice porn, by the way! You dog! We'll make this our little secret.

    love,
    toodles

  • by erroneus (253617) on Tuesday December 05, 2006 @11:45PM (#17124118) Homepage
    Except that I have been saying that for years. MS Doc format is an untrustworthy format. It has been known to carry unexpected payloads in the past and there are alternatives which are known to be safer yielding similar if not identical results for most people. (And if someone thinks they actually NEED to have VBA in a word document, I'd have to suggest there's probably a better way to program your way out of the situation you find yourself in. I just haven't been able to think of a good reason to have programming code in a Word document and I haven't seen a good example either. Can anyone offer a reason good enough?

    ODT works well... hell, for that matter RTF works well enough for most people.
  • Fair is fair... (Score:3, Interesting)

    by zappepcs (820751) on Tuesday December 05, 2006 @11:45PM (#17124128) Journal
    At least there was a warning rather than 43 unannounced patches next Tuesday, I'll say that much for them. Its a shame that there is no patch yet though. Without saying how detrimental this will be for MS, I'm thinking that now I can't tell people that OOo is just like MS Office but free... now I have to tell them that its probably safer too. Ugggh, the people that want OOo and F/OSS software to be as good as MS Office and OS products really bug me, and this story is exactly why.

    Ya, sure, MS is the biggest target, so gets more hacker attention. Just the same, being king of the hill is not easy, and F/OSS software makers should do their best to simply keep doing things well, rather than doing them 'just like MS does' as its not working out so good for Redmond today.

    Do everything that 80+% of users want, do it very well, and let the Excel gurus and desktop publishing companies do the things for those other 12% or so. That's the biggest bang for buck right there. That 12% might be the biggest spenders, but they also don't care about the cost, or don't want to retrain or convert etc. ad nauseum.

  • by flyingfsck (986395) on Tuesday December 05, 2006 @11:50PM (#17124170)
    How is one supposed to exercise caution when opening a Word document? Do click on it slowly and deliberately, or do you click it carefully after giving the PC a pat on the head...
  • by MrLint (519792) on Tuesday December 05, 2006 @11:55PM (#17124224) Journal
    Office for MacOS X has 2 versions: v.X (10.x) and 2004 (11.x)

    There is no 'Microsoft Word 2004 v. X for Mac'
  • by cheeseboy001 (986317) on Wednesday December 06, 2006 @12:21AM (#17124474)
    Did anyone else read that as "Microsoft Ossues Zero-Day Attack Alert For World"?
  • by rssrss (686344) on Wednesday December 06, 2006 @04:12AM (#17125834)
    you will be vindicated. I have stuck with Office 97, because I have never thought that any of the "improvements" that M$ has made in newer versions of Office were worth the price of a new program. It is now too old to be affected by the latest virus. Lord, this is sweet.
  • by ThinkFr33ly (902481) on Wednesday December 06, 2006 @11:45AM (#17130222)
    ... without spreading FUD along with it. Microsoft did *not* say you shouldn't open documents "even from trusted sources". They said [microsoft.com]:

    Do not open or save Word files that you receive from un-trusted sources or that you receive unexpectedly from trusted sources. This vulnerability could be exploited when a user opens a specially crafted Word file.

Life. Don't talk to me about life. - Marvin the Paranoid Anroid

Working...