MS Word Zero-Day Exploit Found 396
subbers writes "A zero-day flaw in Microsoft Word program is being used in an active exploit by sophisticated hackers in China and Taiwan, according to warnings from anti-virus researchers. The exploit arrives as an ordinary Microsoft Word document attachment to an e-mail and drops a backdoor with rootkit features when the document is opened and the previously unknown vulnerability is triggered. From the article: 'The e-mail was written to look like an internal e-mail, including signature. It was addressed by name to the intended victim and not detected by the anti-virus software.'"
At least it's not open source (Score:5, Funny)
Re:At least it's not open source (Score:3, Funny)
Yes, you never know whether an exploit is going to work on an OSS platform.
Now this is what I call an "Open Document Format"! (Score:2, Funny)
It is Open, as in open for hackers to drop root kits on your system.
As in grab you ankles open.
It is also Accessable, as other people now have access to your system.
Why does a document need to have the ability to contain code and execute code on your system?
I'd be happy with just formatting features and losing all "fancy garbage" that allows these holes to exist.
Name Change? (Score:5, Funny)
Not overly bad, combined with some others bad. (Score:5, Insightful)
Re:Not overly bad, combined with some others bad. (Score:5, Informative)
Re:Not overly bad, combined with some others bad. (Score:2, Insightful)
All internal corporate attachments should be banned. That's how you deal with it.
Re:Not overly bad, combined with some others bad. (Score:2, Interesting)
Re:Not overly bad, combined with some others bad. (Score:4, Insightful)
So your saying in the age of the modern broadband; in the age of rich deliverable content; you are saying we should send text only? That's great. It's got nothing to do with fundamental inherent security issues in Microsoft's software made in poor architecture judgements, as well intended as they were.
It's the fault of a fundamental concept in email delivery, which non microsoft users use without fear.
hmmm.... don't think so. not at all.
Re:Not overly bad, combined with some others bad. (Score:3, Insightful)
Your suggestion that an attachment represents "rich deliverable content" is laughable.
Yes, I am saying email should be text only. It is already, whether you acknowledge it or not. You see, your "attachment" was bit shifted into text characters so it could be packaged in an email without getting munged. SMTP was intended for text and truncates bits based on that assumption. It's a bastardized, encoded cyst. A real document has a lifespan, an author, a source, and various other metadata that
Re:Not overly bad, combined with some others bad. (Score:5, Insightful)
New Microsoft Outlook 2007, The Safe Way
No more of that nasty bold text (or any other formatting for that matter) ruining your otherwise clean message.
Enjoy getting humorous images mailed to you? Not any more!!!
Viruses, no way, not in a text only package! (Unless the sender figures out something we didn't check, like, a buffer overflow if you make a line of text 4097 characters with no breaks.)
E-cards are so 2006, NOW ASCII-cards!!!
Re:Not overly bad, combined with some others bad. (Score:5, Interesting)
You mean the one that has to be sitting on a server for me to get. That document was blocked a long time ago when someone else clicked on it and IT security stopped access to the IP at the firewall to prevent further spreading from the source.
And now, since I cannot email it to someone else, the virus has to share itself on my drive and spread that link around. Only it can't because the workstation doesn't allow shares. There is a corporate share I place docs on.
So not the virus has to find the corporate share, find a directory I have access to and embed itself there. Then email others in the company. Only most others in the company don't have access to the share I have access to. So most can't open the document.
Now you've slowed it down to only spreading to the team with rights to the share using a medium which can be managed - temporarily block the share - scan for the document and remove it - turn the share back on. Other team members risk sharing with the few people they interact with from other teams, but the virus has to find which people those are from the permissions on the share versus mailing list - a sparse matrix.
Yes. I think that pretty much exactly... (Score:3, Insightful)
It a medium of communications, and text is the only content which can be assumed to be usable by any recipient. Sending anything other than plain old text, unless there is prior agreement between both sender and receiver, is a hinderance to communications.
http://www.efn.no/html-bad.html [www.efn.no]
Re:Yes. I think that pretty much exactly... (Score:3, Interesting)
If you can't assume rich text, why assume _english_?
Better yet, why not send a rich e-mail (especially from a variety of applications, or in a commercial sense) that contains multiple encodings, and select the correct language based upon the recipient's lingustic settings.
No reason that iPhoto 2010 "form e-mails" containing images shouldn't contain the image metadata and a, "Hi! So and so send you these " in whatever language the client chooses.
Restricting e-mail to plaintext
Re:Not overly bad, combined with some others bad. (Score:2)
Re:Not overly bad, combined with some others bad. (Score:2, Insightful)
I would hope not. Yet you're suggesting that we do the same thing with email. Why should we allow anyone who wants to send us anything they want? I don't want to be emailed harmful programs, yet I am anyway. Some of them are wrapped in ".SCR" or ".PIF" or, in this case, ".DOC" files, but
Good lord (Score:4, Insightful)
Refer to a url pointing at a share within the company instead.
Have you never heard of phishing?
Re:Good lord (Score:3, Insightful)
At least with phishers they have to burn an IP address of a node on their zombie cluster to present the mock web page.
Re:Not overly bad, combined with some others bad. (Score:2, Insightful)
Re:Not overly bad, combined with some others bad. (Score:2)
So other than inducing more user errors by adding more steps to people's tasks, what has your method accomplished?
Re:Not overly bad, combined with some others bad. (Score:2)
Just a minor point--it probably wouldn't get the mapped drives only because they'd probably be set up as read only.
Still, you just infect all the documents and wait for one to go live.
Uh, no. (Score:2)
Re:Not overly bad, combined with some others bad. (Score:2)
Blind and pointless cries like, "Stop all attachments!" mean nothing because it's never going to come to pass.
If your systems are being compromised in any way, it's the job of sysadmins and techs to ensure that potential holes are taken care of.
Banning something and affecting productivity is not the answer.
Goodluck trying, though. In most corporations, everything is done via email, and for folks that have WFH scenarios
Re:The Slashdot Technology Taliban Rides Again! (Score:2)
We're smarter now and the security risks of the Internet today are far more prevelant than they were back then. There wasn't as much invested back then.
It's time to put the toys back in the garage, clean up your room and do things in an orderly fashion.
email text.
have voice conversations over VOIP.
leave voice messages and docs on servers.
give everyone their own ip a
When do we see a patch? (Score:4, Insightful)
I guess it will be a mess if they dont start detecting it soon.Of course MS will be flamed again.
Patch available (Score:3, Funny)
Re:Patch available (Score:2, Insightful)
Why did that get modded insightful?
If anything, it's barely "informative".
In the corporate world, using Open Office is like driving an electric scooter. Sure, some people think it's cool because it's not a gas-sucking-Hummer, but it's a piece of shit scooter.
Is there perfect compatibility between business users with Word. and OO? Absolutely not. It's totally unacceptable for corporate use with other folks that use MS Word regularly. Same with Exce
Re:Patch available (Score:2)
Re:Patch available (Score:2)
Why did that get modded insightful?
If anything, it's barely "informative".
hook, line , and sinker....and rod, and fisherman.Re:Patch available (Score:3, Informative)
Compatibility is just not a problem. In fact, I have better luck using files from all versions of MS Office than those using MS Office. (MS Office compability across versions is poor.)
Re:Patch available (Score:3, Interesting)
And moreover, how many Karma points does this comment gets each time, FOR THE LOVE OF GOD MODS THIS IS UTTERLY REDUNDANT!
I agree that MS Office may not be good, in fact it is a P.O.Shit, and O.O.org is nice, (though a bit slow and big) and also free, but IT IS COMPLETELY AND PURE BULLSHIT to state that it is compatible with the oth
Re:When do we see a patch? (Score:2)
No, I am not the least bit surprised or shocked. Yes, I know how things work.
I won't have pity for MS or anyone else who sees their position as more important than people.
In fact, my pity meter is running on empty.
Re:When do we see a patch? (Score:3, Funny)
Re:When do we see a patch? (Score:2)
is Microsoft this fragile? (Score:5, Insightful)
A recent slashdot story asked the question, "Is the internet that fragile?" When I see stories like this, it reminds me and should remind everyone of the other fragile technology(ies), Microsoft and their baggage.
Consider that many on-line applications for jobs require cover letters and resumes as WORD attachments. Now, consider the temporary suggested workaround:
This is disruptive and lose-lose, either organizations heed the advice, and now for as long as it takes to fix Microsoft's problem applicants will have their documents blocked, or some of these hackers profuse their new hack and compromise organization's infrastructure.
Microsoft has made our bed, and now we all must sleep in it (ick). It's unacceptable that such an exploit could so easily take control and wreak damage. Why can a simple e-mail get in and twiddle with what should be administration-priveleged system resources? I know the recommendation is everyone accessing their XP as non-administration users, but how do you enforce that, especially when for so long so many of the out-of-the-box configurations make administration rights the default login?
I must say I admire Microsoft's savvy more each day in their EULA -- crafted to absolve Microsoft of any responsibility for bad things happening to users because of Microsoft's software. It must be reassuring to offer a product and not have to assume responsibility. What a unique privelege
Of course, a good outcome from this would be to reconsider the global transport of exchanging documentation (e.g., resumes and cover letters, etc.) to something a little less Micrsoft, a little more open, and a little less prone to exploits. That can't happen soon enough.
Re:is Microsoft this fragile? (Score:4, Insightful)
You act like MS is the only company that does this. Nothing could be further from the truth.
a better workaround (Score:4, Insightful)
Re:is Microsoft this fragile? (Score:4, Insightful)
"Unique privelege (sic)"? Not quite.. just about every software company absolves itself of legal responsibility in this way.. why, even the GPL does it.
Re:is Microsoft this fragile? (Score:2)
This is disruptive and lose-lose, either organizations heed the advice, and now for as long as it takes to fix Microsoft's problem applicants will have their documents blocked, or some of these hackers profuse their new hack and compromise organization's infrastructure.
The open source and closed source communities have already provided me with a better work-around for this attack vector, one which Microsoft motivated me to start employing long ago. MS Word costs money. MS Word is rather slow to open and
Re:is Microsoft this fragile? (Score:3, Insightful)
Re:is Microsoft this fragile? (Score:2)
You can keep the bed lice to yourself. I normally use OpenOffice.org and on occasion I'll sometimes fire up koffice. Not "all" of us must sleep on that crusty, dirty old Microsoft mattress.
Not funny (Score:2, Insightful)
How is it possible these things still keep coming up.
It's not even funny anymore...
Re:Not funny (Score:4, Insightful)
In most cases rich text or even plain text documents are more than adequate. Do memos and resumes really need to have executing code in them?
In related news (Score:5, Funny)
Re:In related news (Score:2)
In other news... (Score:3, Informative)
Re:In other news... (Score:2)
Well the virus was probably written by a team of non-commercial developers. So MSFT is right. Only dangerous things come from those non-money grubbing hippies.
Tom
Re:In other news... (Score:2)
Thats a funny statement until you see.... From the article: The e-mail was written to look like an internal e-mail, including signature.
Each email is signed: Sincerly, Steve Jobs
real damage? (Score:5, Funny)
Yeah, but can they do any real damage? : p
Re:real damage? (Score:2)
I only allow local admin with a demonstrated NEED.
Yet I shake my head in amazement when wanna be admin lamerz perform their normal daily tasks (like read their email) logged in as a domain admin.
Question (Score:2, Interesting)
Re:Question (Score:5, Informative)
Re:Question (Score:3, Informative)
I can only guess that it means the worm uses a heretofore unknown exploit. Thus, this exploit is 'zero days' old.
Re:Question (Score:2)
Re:Question (Score:2)
"Zero day" warez means a warez copy is available the day the product releases (sometimes before).
"Zero Day" venerabilities are usually ones which are detected before a virus is in the wild for them. (i.e. problem found before an exploit is available)
In general it usually just means "Really new!"
Re:Question (Score:5, Informative)
It means that the exploit was discovered by crackers before any patch has been made available to the public. In other words there is nothing you can do except not open any
But of course, everyone knows that Word is full of holes because no-one has really attempted to use it as an attack vector yet since there are many easier ways [microsoft.com].
Re:Question (Score:2)
Just modify the Wiki page. Share the better explanation with the world instead of leaving it here.
Re:Question (Score:2)
http://en.wikipedia.org/wiki/Zero_day [wikipedia.org]
Re:Question (Score:5, Informative)
N (where N >=1) day exploits refer to the number of days after a vulnerability and/or patch is made available that it takes for exploits to occur. If Microsoft releases a patch on the 12th and an exploit is written on the 15th, that would be 4 day exploit. Some people would consider it to be a 3 day exploit, not counting the day of the announcement.
Zero day refers to an exploit that uses a previously unknown vulnerability in software, or in some special cases, finds a way to turn a previously known flaw from something that wasn't considered bad enough to patch to a dangerous situation. Zero day exploits are dangerous in that there are no patches for them, although in some cases it can be prevented/mitigated by firewalls or Intrusion Prevention Systems. On the other hand, zero day exploits are often held closely by the people who discover them in order to gain the maximum advantage from it. For example, the exploit used on debian.org a few years ago was not disclosed in order to use it to penetrate several huge names in the open source community. Once a zero day exploit is made public knowledge, it will be focused on and patched.
There is also an archaic use of the term from the old days of pirate BBSes - back when delivery of cracked software was slow, difference BBSes would have better priority on getting delivery of that software. The most important ones would get the software the day it was released by the cracking group and would be described as having 0 day warez. Broadband/P2P/etc. has made the use of this term out of date, although it's entirely possible that some people still use it in this context.
Ahh Microsoft (Score:4, Funny)
Just how much is 'exploited'? (Score:3, Insightful)
If it is the former, then it's a very serious flaw. If it's the latter, then it's a serious flaw, but one that will only really adversely affect people stupid enough to run as Administrator all the time, despite Microsoft's own warning against such idiotic practices [microsoft.com].
If it is the latter, then I have further justification to use against the users who have complained about using their Administrator privledges.
Re:Just how much is 'exploited'? (Score:2)
Re:Just how much is 'exploited'? (Score:2)
Re:Just how much is 'exploited'? (Score:2)
Idiotic practice (Score:3, Interesting)
I have a PDA running WinCE, and I can only sync it with MS Active Sync if I am logged on as administrator. I really detest this. It would be so much better if each member of the family could sync their own PDA when logged in as themselves. However, Active Sync does not appear to support this. This machine has to be connected to the internet to update my WinCE apps. I suspect this makes Active Sync "goods not of m
Re:Idiotic practice (Score:2)
Re:Just how much is 'exploited'? (Score:2)
Now I know this is the fault of the app designers but it's pointless to blame the users for not wanting to put up with the tedious aggro of try
Re:Just how much is 'exploited'? (Score:3, Insightful)
Re:Just how much is 'exploited'? (Score:2)
I never claimed that Microsoft's default setup options were intelligent or consistent with their security model.
Re:Just how much is 'exploited'? (Score:2)
Re:Just how much is 'exploited'? (Score:2)
The rest, including my choice for noobs, SuSE, creates standard user permissions default entries. You need to type your root password to muck around with stuff.
Re:Just how much is 'exploited'? (Score:3, Insightful)
Did you miss the part of the article where it says, "The e-mail was written to look like an internal e-mail, including signature".
Get an e-mail from your boss. Doc format. Or get an e-mail from your clients. Doc format.
Do you open it, or not?
Do you feel lucky?
Most of us shouldn't have to worry... (Score:3, Interesting)
Wonderful! So it only affects the latest-and-greatest versions of Office. Considering that MS hasn't added anything since Office 95 (I still run '97, myself), I expect only business users on SA should ever get hit by this exploit.
Then again, I suppose this means that Microsoft has added something, at least since Office 2000... Namely, more security flaws. Woot! Way to go Billy G! "Focus more on security" indeed.
Good thing... (Score:3, Interesting)
DEP? (Score:4, Interesting)
Only a taste... (Score:5, Funny)
Geez. (Score:2)
Re:Geez. (Score:5, Insightful)
WRONG! Modern viruses, for YEARS now, have set their 'sent from' address as a random address they found in either the internet cache, or ADDRESS BOOK of the infected machine. Often many people in a random address book already know each other. That means the virus has a very good chance to be sent 'from' someone you know (in the address line), although that person didn't send it.
Don't trust an attachment just because it appears to come from someone you trust. If you aren't expecting that exact attachment, or there isn't very very clear working in the email that would make it relevant to something you know about rather than some generic topic, don't open it. Take two seconds and email the person back and ask what it is.
Trusting an attachment just because it appears to come from someone you know is STUPID.
Re:Geez. (Score:2)
"Dear wannabgeek, here's the spreadsheet on the WannaMaker account that we talked about at our tuesday meeting."
There ya go. No need to recontact someone because it's a very specific message that no generic trojan will have.
But if you get a message like:
"Dear Wannabgeek, can you check out this spreadsheet and tell me what you think?"
Then it's time to hit the reply and ask what it is, because a trojan could very well use a message like that to spread.
Re:Geez. (Score:2)
doesn't affect me (Score:2)
Re:doesn't affect me (Score:3, Funny)
Clarification: Attack is from China, not of China (Score:5, Insightful)
They're just using the incredibly insecure servers one can find in China and nearby countries to base the attacks from.
Now, that doesn't mean they aren't Chinese - in fact, that's quite possible - just that where an attack comes from is frequently not where the people who set it off are based in.
security? (Score:5, Informative)
How about:
- make sure your users don't work as administrator but under an unprivileged user account
- setup the system so that this unprivileged user account cannot write in %windir% and %ProgramFiles%
- build the network in such a way that programs cannot directly "connect home" but can connect to the Internet only via well-defined proxy servers
- setup mail so that incoming office documents opened from mail do not open in Office but in the free Office viewers instead
Re:security? (Score:2)
You're getting all fancy schmancy. Besides, how would that help Symantec annoy MS? We have to keep our head and priorities about us in these hectic times and stay focused on the goal.
Re:security? (Score:3, Interesting)
Let me give you an example: I work as a consultant. My laptop is my life. Every week, there is a chance that I'll have to install some weird VPN software on it, program demos, home grown connection programs and change my registry, firewall and connection setting so that I can properly work in the client's network. If my laptop is set up to your specifications, I'm out of my job. For the simple reason that I don't have
Re:security? (Score:5, Interesting)
I don't think so. The system at work has been running like described above for 5 years and there are no real problems. And we are not sitting shaking in our chairs waiting for the next trojan or virus.
many applications still rely on being able to write to their %ProgramFiles% folder
Mostly just hobbyist-in-a-garage stuff and telebanking applications. More serious developers have read Microsoft guidelines over the past years, especially when XP SP2 came out.
The very few exceptions can be managed using a global group and an ACL entry.
Oh, but your only going to let them run the apps that *you* say they can.
This is the basis for any managed IT environment.
Got any remote workers?
Remote workers can only work via the VPN. Because a group policy applied firewall prevents them from connecting directly to the Internet.
Via the Internet they can connect home over VPN and then back out for websurfing via the proxy. This works well.
they have to close the viewer, save the file, open in word, edit, save, email.
Maybe you need to install the viewers and have a look. They actually have a menu entry to "open this document for editing" which automatically transfers control to Office.
I actually dislike the idea of opening an attachment from a basically read-only entity like an incoming mail into a read/write application by default. Users will start editing the document and forget that it cannot be saved back to the original location.
Opening in a viewers shows the user that it is read-only document that they need to save elsewhere to edit it.
My PC Compatriots Won't Listen... (Score:3, Insightful)
They do critical MSWord docs back and for with clients and the FDA in Wash. D.C. all day long, and I really don't think they accept how risky this is today, particularly if a document comes in forwarded from a reliable source that has had the malicious RootKit somehow patched onto an other wise legitimate document that they need to file with the FDA.
Of course that makes me wonder how the FDA handles a malicious MS Word document. They are no different than anyone else in receiving zero day exploits.
Each time a zero day or other serious problem hits, I remind them, but they are literally afraid of having to learn something new, & so stick with the MS offerings.
Re:My PC Compatriots Won't Listen... (Score:4, Insightful)
I have, many times, opened project scope documents (obviously having been based off of older docs) and seen the private/confidential project details of past clients (to the extent of specific dollar amounts etc.)... All because Word, behind the scenes, tracks your changes as some kind of "convenience"...
I'm sure you can turn off that option, but just consider the technical knowledge of the average marketing/sales person in the office...
In a small business without some strict & exact security policies, it's obviously very easy for default settings like these to exist completely unnoticed for years (no one noticed until I was like WTF when I joined the company)...
WordPad (Score:5, Informative)
feature that can be disabled (Score:3, Informative)
Re:This is nonsense! (Score:2)
Re:This is nonsense! (Score:2)
Also, it wouldn't surprise me if it started re-emailing itself to everyone in your outlook address book. I believe one can send e-mails from
Re:This is nonsense! (Score:3, Funny)
When some other OS with some other standard office suite becomes the de facto standard for business AND for home users, we'll see the same sort of security breaches for that particular combination or software. It hasn't been done yet on because there are twenty (or more) times as many Windows machines, and Windows has a larger percentage of careless users.
When Joe Six Pack switches to Linux/Unix/Mac/whatever and MS is the underdog, suddenly they'll be the secure ones.
I
Re:This is nonsense! (Score:2)
Quote from article:
The e-mail was written to look like an internal e-mail, including signature.
Either that, or you don't use your computer for business, at least nothing involving Office Documents.
... after all people never get viruses ... (Score:2)
Works for me.
That way I also don't have to spend extra money on extra hardware to support buggy bloatware virus checkers. How many times have you seen complaints about systems broken by anti-virus software? More often then never? Riiight
Re:... after all people never get viruses ... (Score:2)
Do you just refuse to open MS Word Documents until you get new definitions? How the _hell_ do you know when you are protected?
Re:Oops.. (Score:2)
Is it anymore trollish that the article he is referencing?
Re:Oops.. (Score:2)
Stories like this bring out the MS trolls. If you try to point out an MS mis-step, or contradiction, or weakness, or stupidity, you get modded through the floor.
If you say, "Market share leaders are the ONLY operating systems to get hacked/virused", or "Windows has 34873298437 million lines of code, its really too much work to se
Re:There is a REALLY simple solution here... (Score:3, Informative)
http://www.pc-tools.net/unix/renattach/ [pc-tools.net]
I just put it in the system wide procmailrc file and it runs for everyone.
It will rename files based on a file extension list that you designate. In addition it changes the MIME type headers. This forces the user to save and rename the file before launching it.
The author indicates it's no longer maintained, but it works quite well nonetheless.