Word Vulnerability Compromised US State Dept. 207
hf256 writes "Apparently hackers using an undisclosed (at the time) vulnerability compromised the State Departments network using a Word document sent as an email attachment. Investigators found multiple instances of infection, informed Microsoft, then had to sever internet connectivity to avoid leaking too much data!"
Great news for open formats (Score:5, Insightful)
Scary (Score:5, Insightful)
It proves a set of closed vs open source arguments (Score:5, Insightful)
2) the testing and regression doesn't have the dependency matrix that Word does, and it's likely that if there was a link, it could be both understood and remedied quickly thru an open code supply chain
3) multiple hackers (oops, I mean coders) would likely offer variances of a patch, of which perhaps several would/could be part of the subsequent 'patched' tree
4) eight weeks is a travesty, and that the State Department of the United States of America didn't have an IDF that could detect the abberant traffic is just plain malfeasant. Heads should roll.
Only fooling themselves (Score:5, Insightful)
If you find evidence of a break-in, its possible the attackers are also connecting in a way you haven't yet detected. Hope they know what they're doing. Given their reputation, I doubt [slashdot.org] it [slashdot.org].
Re:Quick (Score:5, Insightful)
OS and Apps must be seperate! (Score:2, Insightful)
Microsoft has created some of the most powerful office tools by leveraging tons of existing code that wasn't exactly designed for the intended purpose.
For example, I love VBA (visual basic for applications)... it can make it very easy to turn a basic spreadsheet into a pseudo application. The problem is, VBA has too many ties to the OS.
That's where "sane" operating systems differ. User space and the OS are heavily separated, in fact, user space for each user is separated from other users, and almost all services run as a unique user. This intentional separation provides very robust security, and is absolutely necessary to creating a secure system.
I cannot blame anyone but MS for this... and not the MS Word or Office team. If the OS were properly designed so that user space applications were properly separated, issues such as this would not exist.
The best part is how long in coming the patch for this is... if these systems were running anything open source, a preliminary patch would be made in a matter of hours (assuming that it was posted immediately to an appropriate mailing list or IRC channel).
I can't wait until the saying is changed to "Everybody is getting fired for buying Microsoft"... because, IMO, any IT manager who gives a shit about the "INFORMATION" portion of their title should be fired for trusting it to MS's proprietary bullshit!
Re:Scary (Score:5, Insightful)
Of course this is a popular article because it's more evidence of how Microsoft's 'professional' products are so amateurish, but you're right, you can't tell thousands of people not to open an attachment.
The root of the problem doesn't lie in Word documents, or Word for Windows. The problem lies in Windows, period. The operating system is practically incapable of separating important and sensitive data from junk-mail and untrusted documents from the outside. In such a place as the State Department, it's scandalous.
Whilst hypothetically, Linux is also vulnerable (eg: through some flaw in Open Office), a properly configured system could protect itself without needing to rely on the end user to manually screen every bit of junk they come across. Sure there would potentially have been some corruption of data, maybe some low level leakage, but really, this all points to a hopelessly overcomplicated and poorly designed OS. Naughty Bill!
Re:Scary (Score:5, Insightful)
Furthermore, buffer overflows could exist in just about any program. There could be one in emacs right now, triggered by reading a file into the buffer. Then it would be "scary.. The fact that a simple text file can cause such a big problem is really sad."
Unfortunately, they didn't disclose the nature of the vulnerability. "hidden software commands" in the mass media could be anything from shellcode to an executable embedded in the document, to a macro. Since Microsoft patched it, it was probably either something that autoran or an overflow.
Re:OS and Apps must be seperate! (Score:5, Insightful)
open formats alone won't save you (Score:3, Insightful)
In their determination to sucessfully match Office's rich features, Open Office has acquired similar vulnerabilities. One evaluation I saw some time ago concluded that Open Office was likely to be more vulnerable than Office.
If you want to be secure, run software that does what you need, and NO MORE! Rich functionality and extensibility are the attack points. Not many people want to restrict themelves to txt files or filtered html, let alone edit any longer with editors such as vi or microemacs. Due to their extensibility, pdf and postscript are suspect in the eyes of the truly paranoid, let alone the complex modern formats.
Re:Scary (Score:5, Insightful)
Christ on a stick! That's a bloody good reason to hide EVERY problem from the IT Nazis.
Does anyone ever get any work done?
Re:Great news for open formats (Score:3, Insightful)
However a new format for every feature doesn't work too well either. Perhaps an extendable document format that plainly details what features are used in the document, so you can tell if that Word doc in your email has more than just the text of that newly leaked Harry Potter novel.
Re:Scary (Score:5, Insightful)
Furthermore, buffer overflows could exist in just about any program. There could be one in emacs right now, triggered by reading a file into the buffer. Then it would be "scary.. The fact that a simple text file can cause such a big problem is really sad."
Nice attempt to evade the issue by raking up redundant matters. The crux of the problem here is that MS Word needs or provides Internet access for some of it's functions. Even if it had any buffer overflows, the problem would not be exploitable from remote systems.
The fact that Word is designed to occasionally talk over the internet coupled with it's hooks into the OS via things like VBA etc. is the problem. In fact, the main problem here is not Word or Office, it is the Windows architecture that is vulnerable.
Well in my office (Score:4, Insightful)
Re:Great news for open formats (Score:2, Insightful)
How come you recommend StarOffice over OpenOffice.org?...
Well, perhaps some policy forbids installing free (as in no invoice) software, or the policy requires a support contract.
Re:Scary (Score:2, Insightful)
Of course I don't. Nobody does. But the difference is, I wouldn't run a script like that when receiving it via e-mail, unless specifically requested from the sender. Word documents are another matter. I regularly (few times a week) get them unexpected, from unknown origin, and do open them. That is because I am expecting new sales/purchase leads from new customers/suppliers - that's part of my business. And often they send their info as ms word attachment. That said, I use Linux/OOo so not much risk opening doc files.
The scripts I run are downloaded from "trusted" sources - websites of known open-source software, collection sites like sourceforge, etc.
Wouter.
Re:Great news for open formats (Score:4, Insightful)
With open software, you can look at the source code and see exactly what it does and test it for all the vulnerabilities you want and get them removed, by yourself if you find yourself so talented. Only the monkeys in Redmond know what is really going on in Windows, and anyone using their products is dependent upon MS and MS only for a solution. That may come in days, weeks, but most likely months after a vulnerability is found. Meanwhile, someone ends up releasing details of the vulnerability, then codes up a nasty bug to take adavantage. The fact that MS software is so full of holes and has no real peer-review process among the general population of all possible coders interested in fixing bugs is its weakness in comparison.
Re:Great news for open formats (Score:5, Insightful)
I though even the OS community had realised by now how ridiculous this argument is. World economy would in effect come to a halt if every company and public office started to scan source codes for potential vulnerabilities. This is hardly a selling argument and being a wise-ass about it has never helped the OS movement.
Having a goal of zero vulnerabilities is such complex software as an office suite is strikes as feasible only to an ideologist nerd. In practise there will always be vulnerabilities as long as human beings will be responsible for the design and programming. And having gazillions of eyes searching through the source code presumably on the company dollar is not effective way to remove those faults.
Re:Scary (Score:3, Insightful)
Does anyone ever get any work done?
Depending on your environment, that can actually be the quickest, easiest way to solve a problem.
The GP didn't explain his environment, but in a lot of larger companies you'll find things are standardised as much as is humanly possible. In IT departments, "as much as is humanly possible" quite often isn't very much, so reimaging PCs there is a PITA for all concerned.
But in a call centre, it's fine. In any office where all the people have clear, well-defined roles and you know in advance what software they need (let's say Office, one or two proprietary apps and that's about it), again, it's OK. Things only get complicated when the tools people need to fulfil their roles varies substantially from person to person and even from week to week.
Re:Scary (Score:5, Insightful)
[..]
An example of a good operator: there's a bloke over in administration who I would swear used to work in IT. He's got Open Office installed when everyone else uses Microsoft Office, he uses firefox, thunderbird and trillian for his messenger. About 500 theme packs and a few other bits of software. According to our helpdesk logging system he has only ever called once, and this was when he patched himself for the new daylight savings time last year. Everyone else had the problem as well.
I'd say that's a pretty stupid way to 'administer' your workstations... Why can these people even install all this shit themselves? How can some bloke in administration 'patch his machine' himself? And how does making them not call support because they know they won't fix your problem help with the maintenance of your network. The only thing I can see something like that heading to is an IT support department that only answers the utterly stupid requests and hardware failures. Employees just don't bother to call them because they don't want there machine re-imaged, so they just start fooling around themselves, or ask some guy like the 'bloke from administration' to 'fix' their system. Eventually that can only and in a maintenance and security nightmare.
Re:Great news for open formats (Score:5, Insightful)
What does work for me with open source is that the nature of open, distributed development tends to promote code modularity, which helps keep those defect counts down. And the fact that code is publicly available exerts an influence on developers to publish code they aren't be ashamed of (unlike what happens in proprietary software development with tight deadlines set by the sales team making unrealistic promises to clients - I have been there).
However, there is a real distinction between defect-free software (probably does not exist) and software that intentionally includes back-doors. With open-source, you can have more confidence that there is no back door, spy-ware, or anything else that shouldn't be part of the application. But it certainly doesn't mean the software will be defect free.
hacker != criminal (Score:3, Insightful)
Tom
Re:Great news for open formats (Score:3, Insightful)
Saying open source software is no protection against backdoors because it is vulnerable to compiler-injected code is like saying that wearing a bullet-proof vest into a warzone is no protection because you're still just as vulnerable to stepping on a land mine.
Re:Great news for open formats (Score:3, Insightful)
And unquestionably OpenOffice is immune to parsing [secunia.com] errors [secunia.com].