Forgot your password?
typodupeerror
Microsoft Security IT

Third Microsoft Word Code Execution Exploit Posted 174

gregleimbeck writes "Exploit code for a third, unpatched vulnerability in Microsoft Word has been posted on the Internet, adding to the software maker's struggles to keep up with gaping holes in its popular word processing program. The attack code, available at Milw0rm.com, contains sample Word documents that have been rigged to launch code execution exploits when the file is opened."
This discussion has been archived. No new comments can be posted.

Third Microsoft Word Code Execution Exploit Posted

Comments Filter:
  • by Rupan ( 723469 ) on Thursday December 14, 2006 @08:47PM (#17247580) Homepage
    The gdb backtrace shows that the crash occurs in SwIoSystem::IsFileFilter (). EIP may not have been overwritten; the value points into what appears to be a valid function (i.e. not the stack or heap):

    eip 0xb7286b4d 0xb7286b4d osl_getVolumeInformation+4487

    Of course, this is probably because the exploit was designed to crash MS Word in the first place, not execute arbitrary code.
  • by phrasebook ( 740834 ) on Thursday December 14, 2006 @09:02PM (#17247750)
    I tried switching my dad to Open Office when we couldn't find the MS Office CD - he immediately complained that the small fonts he was using in his spreadsheets (less than 8 points) didn't render nicely in OO compared to Excel, so he went and bought a copy of Office 2003.

    Little things like that count for a lot. OO might be more secure than MS Office, but it's terrible quality software in user-visible ways (i.e. it's ugly, slow and bloated). These things count to people. Little problems can't just be overlooked because it's free. My dad could pick it apart within minutes, and he doesn't normally care about software at all. He didn't care about paying for Office either, in fact he didn't think twice about it.

    That's why. Nothing to do with TCO, Microsoft being evil, security, monopoly or anything else. OpenOffice just isn't very good in the ways that count to regular users.
  • by mcrbids ( 148650 ) on Thursday December 14, 2006 @09:18PM (#17247904) Journal
    If you knew enough to download it for him you should have known enough to turn on antialiasing for font sizes 8 and lower in the options menu.

    And if you knew end-users enough to comment on them, you should have known enough that end-users won't know how to turn this on.

    See, software shouldn't "get in the way" of what you're trying to do.
  • by Gothmolly ( 148874 ) on Thursday December 14, 2006 @09:21PM (#17247928)
    ...imagine what could be done with 10k of executable code

    Run Visicalc?
  • by ZahnRosen ( 1040004 ) on Thursday December 14, 2006 @09:24PM (#17247956) Homepage
    This goes under the category of basic internet security. Don't open files from people you don't know. And if you do get a wierd file from someone you don't know stop and think for 10 seconds about it before you open it. Or, buy a mac.
  • by dc29A ( 636871 ) on Thursday December 14, 2006 @09:51PM (#17248212)
    But seriously, why would anyone use anything M$ when there are non-stop bugs and security holes. Open Office / Google Writely anyone?

    (Insert random application name here) with vulnerability running as root is the problem. MS Word hole only amplifies it because it's widely used. But the problem is that everyone and their dog is running Windows as administrator.
  • by that this is not und ( 1026860 ) on Thursday December 14, 2006 @09:55PM (#17248260)
    To the contrary, OpenOffice requires significantly more hardware resources to run than usable versions of MS Office. I have run Office 2000 in a usable state on an old '486 laptop with 40M of ram.

    Open Office is unusable on such a machine. It's probably 'coded better' with C++ and what-not, creating bloated structures and resource piggishness. There is probably an old version of StarOffice that would run fine on the '486, but the notion that OpenOffice is magically 'less of a load on the machine' is just wrong.
  • by TigerNut ( 718742 ) on Thursday December 14, 2006 @10:43PM (#17248756) Homepage Journal
    You can't fault the programming language. The problem is in the application if it doesn't check buffer size against how much data is being read; it's in the OS if the problem is occurring when the application does a system call of some sort and is compromised in the process.

    However... it looks like there are Oo.org users digging into that side of the problem. Probably they'll have an accurate synopsis of the failure mechanism and a patch on the way in a few days. Unfortunately we can't say the same (with the same confidence level) about MS Word.

  • C++ (Score:4, Insightful)

    by Z34107 ( 925136 ) on Friday December 15, 2006 @01:33AM (#17250542)

    Uh if that happens then the language used is obviously unsafe.

    The language isn't "unsafe" - it just lets you do some very, very nifty stuff that noobtard programmers are better off leaving alone.

    C++ has perfectly "safe" features - the Standard Template Library has container classes like strings and vectors that won't overflow no matter how careless you are.

    For those who insist on going down to the byte level and concatenating their strings themselves, Microsoft included "safe" versions of these functions in Visual Studio 2005, and will compile with warnings if you use the dangerous, buffer-overrun-producing variants.

    Why should potentially arbitrary code be executed because a program tries to put data somewhere it won't fit?

    Because a hacker's input and a programmer's overconfidence in his manual input validation (or lack thereof) put the hacker's code over the program itself. It fit just fine where the still-running program used to be.

    This can happen in any language - C++ programmers are simply notoriously bad at input validation.

  • by fostware ( 551290 ) on Friday December 15, 2006 @03:14AM (#17251378) Homepage
    OLE, DDE, etc...

    People's pretty WordArt wouldn't work otherwise

    Wait until you see how Publisher files are constructed - AFAICR each text box is a mini Publisher OLE object and let's not start on the picture boxes

    I feel sick just thinking about it :S
  • Unbelievable (Score:4, Insightful)

    by AftanGustur ( 7715 ) on Friday December 15, 2006 @05:26AM (#17252162) Homepage

    "Data used by Microsoft Word to construct a destination address for a memory copy routine is embedded within a Word document itself."

    If this is a standard practice at Microsoft, I'm beginning to understand why they are so relunctant to publish their protocols and standards.

"If you don't want your dog to have bad breath, do what I do: Pour a little Lavoris in the toilet." -- Comedian Jay Leno

Working...