Word Vulnerability Compromised US State Dept.

hf256 writes "Apparently hackers using an undisclosed (at the time) vulnerability compromised the State Departments network using a Word document sent as an email attachment. Investigators found multiple instances of infection, informed Microsoft, then had to sever internet connectivity to avoid leaking too much data!"

Hmmm...hackers

[Spookticus]

It seems those hackers missed the Philippines and accidentally hit the state department instead

Quick

[WED Fan]

Quick everyone, the bandwagon is getting ready to leave. Jump on.

(Insert Troll Here)

[WhiteWolf666]

Queue the legion of Microsoft apologists, saying things like:
a) It's only because MS Office has the largest market share, this could of happened to any office suite!
b) It's not a big deal, obviously the state department's IT department is incompetent.
c) Damn Hackers, always trying to ruin a good thing!
d) Macs run on Intel processors now, so they're vulnerable too!
e) This is probably because the NSA sponsors SELinux.
f) In Soviet Russia, MS Office hacks YOU!

Did I miss any?

Re:Hmmm...hackers

[dclozier]

and bush won again. just who are these hackers? :D

Re:Great news for open formats

[aputerguy]

Friends don't let Friends use Micro$oft...

The airlock is closing...

[djupedal]

"...then had to sever internet connectivity to avoid leaking too much data!"

"Cap'n, we're having a wee bit 'o trouble in IT - we're leaking data down here like no one's bloody business - we may have to sever communications!"

"Scottie - is it really that bad...? Isn't there some alternative that will buy us more time??!! I need more time, dammit man!"

"Cap'n, I'm only a Star Fleet Engineer, not the Queen's magician..."

"Well, Engineer...see if you can pull a rabbit out of your ass and buy me five more minutes before you cut us off. That's all we need to make the jump, and after that you can cut your nuts off for all I care!"

"Aye, Cap'n...do me best - one shit-stained rabbit, com'n up - IT out!"

Re:Quick

[grcumb]

What magical office software do you use that is apparently 100% bug free?

Emacs

*ducks and runs*

Must suck to be Lenovo...

[cunina]

...knowing that your products were banned from the State Department for some theoretical and highly unlikely exploit, while Microsoft Word continues to be used there despite a documented (no pun intended) security breach attributed to it.

Re:(Insert Troll Here)

[Beefchief]

g) Cue the Grammar Nazi that points out the difference between "cue" and "queue" :)

Re:(Insert Troll Here)

[necrostopheles]

h) And the one that points out could of != could've

The first is a phrase that doesn't make sense, and the second is a contraction of "could have".

Re:Quick

[aichpvee]

Does that include a decent text editor yet?

Re:Quick

[Jugalator]

Tsk, tsk, Linux users these days...
I type OpenOffice.org Writer XML in VI... In the format's ZIP-compressed form!

Re:Quick

[Anonymous Coward]

Sure, it comes with a preinstalled vi implementation.

Re:Scary

[Fred_A]

The dream of every sysadmin, to have that kind of power... Open a word file and you'll be fired. *sigh*

Re:Quick

[lanswitch]

But does it run Linux?

Re:Great news for open formats

[Professor_UNIX]

Instead of waiting for the 1.5 - 2 hours for Microsoft Office to install I just downloaded star office and installed (took all of 10 minutes).

You know, you can't really count the amount of time it takes to download Microsoft Office via BitTorrent from a pirate site as part of the install time. Office 2003 took me about 15 minutes to install. Quit making shit up.

Re:Great news for open formats

[tomstdenis]

Does that include the time for downloading updates, rebooting, and praying towards Redmond?

Tom

Puzzled ...

[jc42]

Why in the world would anyone with security concerns (and even the tiniest amount of sense ;-) allow the use of Word or any other proprietary, binary format, in email?

A fun example: A couple of years ago, a fellow hereabouts told the local linux/unix user group a funny story of how Word docs got banned at his workplace. It seems that a VP had written some missive, and decided that it was so important that everyone in the company would want to read it. So he mailed it out to everyone. It was a Word doc, and the people with unix-type workstations mostly couldn't read it, so they did the obvious thing. They fed it to the strings(1) command. The result of this isn't pretty, since it loses all the (binary) formatting and font markup, but the text was readable.

However, strings can't decode the binary stuff, and didn't know to honor the "deleted" tags on big chunks of the file. It seems that among the deleted stuff was a list of the salaries of most of the management. Ooops!

The unix users got a bit of a chuckle out of this, of course, and the news got back to the VP (and other managers) what he'd mailed out. After the inevitable finger pointing settled down, the message got through the mangers' thick skulls that Word docs can and usually do contain "deleted" stuff that hasn't actually been removed or blanked out, and any time they send someone a Word doc, they might be sending them pieces of any other Word doc that has ever been on their computer. And it's not just unix users who can read this "deleted" stuff; a clever programmer could fairly easily make it visible on Microsoft systems, too. You could just port the strings command to Windows.

So the word came down that Word docs were strictly forbidden in email. Especially email sent outside the company.

This problem is not exactly secret. Any organization that allows Word docs, or any other proprietary binary format, in emails is inviting exactly this same sort of problem. Even if you don't understand it or believe it, chances are that some of your competitors do.

It's especially astonishing that the US State Department would allow Word docs to be emailed. Don't they have any competent security people at all?

(Or maybe they do, but they are intentionally ignoring the advice of such people. That does seem to be how the US government works these days. ;-)