Microsoft Issues Zero-Day Attack Alert For Word

0xbl00d writes "Eweek.com is reporting a new Microsoft Word zero-day attack underway. Microsoft issued a security advisory to acknowledge the unpatched flaw, which affects Microsoft Word 2000, Microsoft Word 2002, Microsoft Office Word 2003, Microsoft Word Viewer 2003, Microsoft Word 2004 for Mac and Microsoft Word 2004 v. X for Mac. The Microsoft Works 2004, 2005 and 2006 suites are also affected because they include Microsoft Word. Simply opening a word document will launch the exploit. There are no pre-patch workarounds or anti-virus signatures available. Microsoft suggests that users 'not open or save Word files,' even from trusted sources."

zero day

[Anonymous Coward]

What the heck does zero-day mean?

Problems with reportage?

[symbolset]

EWeek is pretty good about reportage and editing. If their article says (and it does):

There are no pre-patch workarounds available. Microsoft suggests that users "not open or save Word files," even from trusted sources.

Then I believe they got that answer when they asked. Perhaps their phone reps are more forthright than their website. Imagine that.

Not opening Word files seems like a good idea. Microsoft IP's in them, and that's icky.

Spam/Virus firewalls

[Twillerror]

I'm not to worried about this because most users are aware of attachment exploits like this.

I'm sure the major spam firewalls will also have signatures in a relatively short period of time. If my email spam/virus firewall will stop this I'm fine.

For the home user it is a bit more of an issue. At the same time most people use Yahoo, MSN, Google or some other account that has active scanner that I'm sure will be able to block these in the short run...if not by analyzing the file by analyzing the subject line. Heck, chances are it'll look like spam to my firewall won't let it thru to begin with.

I do wish MS would put out the technical details of this exploit. It sounds like some sort of a buffer overflow. Something tells me it is a graphic insert of some sort, but who knows.

Re:Lets see...

[dwater]

Any reference for that? I'd love to be able to quote such to ... well, anyone, really.

Re:Looks like a long work day tomorrow

[bluefoxlucid]

I recommend a full rewrite in C. OOo is C++ and Java, and it shows. It's an ugly code base and it's slow and bloated. It gave us one great thing: Michael Meeks dropped load time 40-70% by rewriting the linker and adding new types of non-standard hash tables, as well as sorting of both standard (without violating standards) and non-standard hash tables and elf symbols.

But you know why he did it? Because the way C++ symbols work, they flood us with namespace and class symbols, tons of vague linkage, and all kinds of cruft; around 90% of the time OOo spends loading is due to having to process data that's only there from C++, which a similar feature-for-feature C re-implementation wouldn't have (like name spaces and classes and virtual tables and such). Usually you can rewrite and get around having such things; it makes code a little more complex sometimes though, and I do recommend some form of object oriented language when you really need CLASS INHERITANCE.

Fair is fair...

[zappepcs]

At least there was a warning rather than 43 unannounced patches next Tuesday, I'll say that much for them. Its a shame that there is no patch yet though. Without saying how detrimental this will be for MS, I'm thinking that now I can't tell people that OOo is just like MS Office but free... now I have to tell them that its probably safer too. Ugggh, the people that want OOo and F/OSS software to be as good as MS Office and OS products really bug me, and this story is exactly why.

Ya, sure, MS is the biggest target, so gets more hacker attention. Just the same, being king of the hill is not easy, and F/OSS software makers should do their best to simply keep doing things well, rather than doing them 'just like MS does' as its not working out so good for Redmond today.

Do everything that 80+% of users want, do it very well, and let the Excel gurus and desktop publishing companies do the things for those other 12% or so. That's the biggest bang for buck right there. That 12% might be the biggest spenders, but they also don't care about the cost, or don't want to retrain or convert etc. ad nauseum.

can you not grasp the headline?

[Anonymous Coward]

ya, it is much better to trust your most secret internal documents to random third party "businessmen" over in whoknowswhereistan after you got *owned*.

Microsoft-successfully extorting money from governments and businesses for a quarter century-and damn proud of it! Never has one company screwed up so much and profitted from it in the history of the world. This is 2006 and people still pay good money for that utterly craptastic zero-warranty rubbish. No wonder the western economy is cruising on credit and trying to outsource reality, the combination of booze and coke at top managerial decision making circles has finally about run the course-straight into the ground. They are running on fumes, inertia and bravado, because it sure isn't based on intelligence.

Re:Microsoft Recommends..

[Moron_Programmer]

I'd rather kick in the nuts the guy who takes advantage of these 'exploits'. They cease to be exploits when there are none willing to exploit them.

Re:SLASH! KNOCK OFF THE FUD SUBMISSIONS!

[AlXtreme]

JESUS H. CHRIST jumping a barbed wire fence, Slash editors. Who's letting these submissions across the wire? While slash is not a world-class journal or trade rag, it ought tot

Welcome, you must be new here!

They actually did say that, but you could claim the slashdot post was misquoted: "Recommendation: Do not open or save Word files that you receive from un-trusted or that are received unexpected from trusted sources. This vulnerability could be exploited when a user opens a file."

I know this is slashdot, but RTFA.

Re:Microsoft Recommends..

[kestasjk]

No, I don't, because nothing was "being exploited for months," and you can't cite a single incident to back up that claim. You just made it up on the spot.

No, I didn't:

"It probably took about 20 or 30 minutes to get root on the box. Initially I tried looking around the box for certain mis-configurations and other obvious things but then I decided to use some unpublished exploits -- of which there are a lot for Mac OS X," gwerdna told ZDNet Australia [zdnet.com.au] .

None of the patches were zero-day exploits, and most were patches of UNIX utilities, not Apple software.

Read the list [apple.com]. I count 13 out of 22 of the vulnerabilities are in Apple's code. Who's making things up on the spot here?
None of them are zero-day exploits? Checking one of the UNIX utility vulnerabilities (because these are the only ones that we know when they were discovered) the perl vulnerability was discovered in December 2005.
With this Word vulnerability MS discovered its use in the wild, and they've let everyone know and are working on a patch. With that perl vulnerability, and probably others in the list, it was discovered in 2005 and Apple only get around to releasing a patch now.
At least you're right that that's not zero-day; that's negative-three-hundred-and-sixty-five-day.

Have fun screening all your email from all your contacts in Outlook.

I don't have to screen anything; I just won't open any Word documents. Look at the list above from Apple; you would have had to screen e-mail for HTML, new fonts, turn off your wireless card, not use any Windows shares, not go to any links to web pages given in e-mails, not go to any suspect web pages, etc, etc. The only difference is that Apple don't post security bulletins giving people warning, that might damage sales.
Have fun having a false sense of security though.

Re:Now might be a good time to try ...

[Rick17JJ]

They could also use OpenOffice [openoffice.org] instead, at least temporarily. There are also other free alternatives such as using Abiword [abisource.com] to view Word documents that they receive from customers. Abiword a well known alternative for Linux computers, but I see they also have Windows and Mac versions too. I also see that Word 97 isn't on their list of affected software so perhaps businesses could also consider just use their old copies of Office 97 to view incoming documents for the next few weeks (or did they just neglect to mention any version of Word that old).

At home, I use OpenOffice running under Ubuntu Linux, so I should still be able to view Word documents safely.

Re:Microsoft Recommends..

[TheRaven64]

trust me, repagination is a lot of work, and it's already bad enough in long documents

I don't use a word processor, I use LaTeX, which seems to have much better layout rules than any version of Word I have seen. The document I am working on is around 200 pages. Compiling it (including invoking gnuplot to draw a load of graphs, pulling in a few code files and syntax highlighting them, constructing an index and bibliography, and making sure all cross-references are correct) takes 7 seconds of wall time on my current laptop, and most of that is time spent waiting for I/O.

Oh, and much of the typesetting code used by LaTeX is written as interpreted macros that are run by the TeX runtime system. If it were all hard-coded, even in Java, it would be even faster.

Earlier this year, I saw a demo of a typesetting system written in Smalltalk (and running in the Squeak VM) that represented every character as an object, with simple rules (e.g. stay next to next character, jump to next line if you are over the margin, jump to the end of line if there is only whitespace between you and the end of line). It ran very fast; he dragged an image across a multi-page document, and the text re-flowed around it, and the entire thing was written in a couple of pages of Smalltalk.

If pagination is slow in Word, then I can only imagine it's because the developers need replacing.

Use OO to "defang"?

[Kadin2048]

I initially thought about using OpenOffice; I think it's probably the best solution overall, since it's free and you can get it right now. But let's say you absolutely need to work in Word -- how can you make sure that a document is safe?

If you opened a document in OO, and then saved it, would the resulting document be guaranteed to be clean? What if you saved it as an RTF and then opened that back up in Word? That would probably lose a lot of people's fancy formatting, but it would preserve most of the content and markup. I suppose the most paranoid thing to do would be to save all documents out to ASCII and then open them up in Word, but at that point you've negated any reason to use Word in the first place.

If OO tries to open a file, and it has a maliciously-crafted (which to OO, I assume, would appear corrupt) binary object in it, will OO refuse to open the file / remove the corrupt object? Or will it just ignore it and continue on its way?

Re:what about OO.org?

[OglinTatas]

You sir, are spot on. Back when macro viruses were rampant, when word 6 would unexpectedly corrupt word documents and make them "unreadable," it was wordperfect to the rescue. The file conversion would strip any macro viruses, and would ignore formatting that it couldn't understand, compromised/corrupted files could be rescued, (and re-saved in word 6 format to begin the process again, because officially we are a microsoft only shop)

Re:Microsoft Recommends..

[mysticgoat]

...how on earth can someone code so sloppily that a WORD PROCESSOR has a serious security exploit?!

Shit happens.

The more significant question is how on earth could an exploit like this manage to get by Quality Assurance for so many years?

The answer is that the Coding For Profit paradigm necessarily imposes a limitation on quality assurance since QA is an expense that must be charged against profits.

A viable workaround is to Code For Free under one of the open source licenses where you can nurture a community of bug-hunters and developers who provide good quality assurance for free. You generate your profits from other aspects of the software business, such as service. IBM and Redhat are doing pretty well with this approach. Until recently I would have mentioned Novell here too, but now there's some doubt about whether Novell will survive what might prove to have been a fatal error.

Wake up little SUSE! The movie wasn't so hot.... but I digress.

I expect that in the next few weeks Microsoft will offer as a workaround a free plug-in that will convert all documents to its new ECMA approved standard. MS will point to Novell as an alternate supplier (therefore avoiding immediate monopolistic legal hassles). MS will point out that MS Office 2007 will be immune to this exploit, so all businesses really need to do is to install the free plug-in and begin migrating their documents to the new format. Which will be supported by Novell's version of OpenOffice, btw, no sneaky deals here, huh?

Re:Microsoft Recommends..

[kestasjk]

I doubt anyone is really this stupid, you must be a troll, but what the hell..

Yes, you absolutely did. There are no exploits running around in the wild affecting Macs. You can't cite a single real-world example. Not a single one.

"running around in the wild"? An exploit is a piece of code which can be used to exploit a vulnerability. One thing that the rm-my-mac-mini competition showed is that exploits have been written for undisclosed OS X vulnerabilities. If no exploits existed how could OS X's security have been breached, and the Mac Mini's files deleted? Q.E.D.; exploits do exist for OS X.

Absolutely correct. None of them are being exploited at all.

As I showed above exploits have been written for OS X. What you are saying is that the only time exploits have ever been used against OS X was in the rm-my-mac-mini competition. The hackers that look for security holes in Apple's software, and don't disclose the holes, never exploit the holes they find; they just do it in case rm-my-mac-mini competitions come up.

And yet nobody's exploiting it, because OS X's security prevents access. Next.

What about the Safari vulnerability that allows you to remotely execute code? What about the Webkit vulnerability, or the AirPort vulnerability, or the Windows share vulnerability? OS X seems to allow access more than prevent it.

Which should tell you just how "urgent" it was to fix something that wasn't really a problem in the first place.

So holes like anyone being able to get complete access to your machine simply by you connecting to someone wirelessly, or looking at a malicious webpage, or accessing a malicious share or folder, aren't urgent to you? If not then I should say that there's a difference between being secure, and simply not valuing your security.

Lies, lies, and more lies. 100% false in every way imaginable.

But I'm citing Apple's own list of patches. Do you believe Apple's security is so flawless that the only explanation for their list of critical security holes is that they're lying?

Ah, the old "false sense of security" canard, despite the fact THERE IS NOT A SINGLE EXPLOIT RUNNING IN THE WILD THAT IS INTRUDING ON A SINGLE MAC. You can't cite a single one. Go for it.

See above; rm-my-mac-mini couldn't have happened without an exploit. If you're wondering why I keep referring to rm-my-mac-mini it's because hackers or script kiddies with OS X exploits generally don't make a habit of letting everyone know what they've been up to. rm-my-mac-mini is a source which I can cite which conclusively shows that exploits have been written for OS X vulnerabilities. (PS Writing in caps doesn't make people ignore the fact that your (only) argument has already been addressed)

The argument you seem to be stumbling towards is "OS X has practically no market share, so no piece of malicious software written for it can be mass distributed effectively, therefore OS X is secure."
Luckily for you barely anyone owns a Mac. By the same logic I could say "MS-DOS 6.22 is a perfectly secure, robust OS; there's not a single exploit being used against it".


By the way, have you noticed the recent MySpace worm [infoworld.com] that's being spread with Quicktime? Quicktime is just about the only piece of Apple software that a large number of people use to process data directly from the web, and sure enough hackers find a way to exploit it.