Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Microsoft Security IT

Third Microsoft Word Code Execution Exploit Posted 174

gregleimbeck writes "Exploit code for a third, unpatched vulnerability in Microsoft Word has been posted on the Internet, adding to the software maker's struggles to keep up with gaping holes in its popular word processing program. The attack code, available at Milw0rm.com, contains sample Word documents that have been rigged to launch code execution exploits when the file is opened."
This discussion has been archived. No new comments can be posted.

Third Microsoft Word Code Execution Exploit Posted

Comments Filter:
  • by Anonymous Coward on Thursday December 14, 2006 @07:35PM (#17247392)
    I always suspected that Microsoft Word was Turing-complete.
  • Format the Page the way it was meant to be SIMPLE! I mean its JUST WORDS put together why the need for Super Secret imbedded code? Word Perfect did this with precision .
    • by Acuram ( 845804 )
      I can tell you've never used any of the VBA in Word. Executable code + DOM = $$
    • by Shados ( 741919 )
      There's simply no money to be made in a simple office suite. Too many people who use basic office features will either use open office, or downright crack MS Office. Even companies.

      The ones that will actualy shell out for Office are high end corporate customers. And beleive it or not, these features are very useful when you get to that point.
      • by Firehed ( 942385 )
        I'm sure you're right about corporate, but considering how many Firefox users I know (that's to say, those that might consider alternatives to Microsoft), I'm the only one of them that's ever used OpenOffice. And I'm sure that none of them would have had the computer knowledge to crack Office (you know, just find any of a hundred thousand torrents of it).

        Nope, most people I know that need nothing more than a basic office suite still use - and purchase - MS Office. Mind you, they'll typically end up with t
        • by Shados ( 741919 )
          I see. Almost everyone i know using Office has a cracked copy or another. Usualy because Office does a lot less check, and usualy a simple copied CD from work is all you need. An incredible amount of computers come preloaded with illegal office (thats what my parents are using >.> ).

          And well, the educational version of Office's price is so freagin low, it might as well be piracy (depending on your take as to the legitimacy of such pre-sale restriction on software usage, not to be confused with post-sa
  • by Rupan ( 723469 ) on Thursday December 14, 2006 @07:36PM (#17247420) Homepage
    I tried to open the PoC with OpenOffice 2.0.4 and it crashed. Can someone confirm?

    ooffice2 12122006-djtest.doc /usr/lib/openoffice/program/soffice: line 236: 12793 Segmentation fault "$sd_prog/$sd_binary" "$@"

    This may not be a code execution bug; I'll try to trace it with gdb to see what happens.
    • Re: (Score:3, Interesting)

      by phunster ( 701222 )
      It crashed OO 2.1 here
    • by Rupan ( 723469 ) on Thursday December 14, 2006 @07:47PM (#17247580) Homepage
      The gdb backtrace shows that the crash occurs in SwIoSystem::IsFileFilter (). EIP may not have been overwritten; the value points into what appears to be a valid function (i.e. not the stack or heap):

      eip 0xb7286b4d 0xb7286b4d osl_getVolumeInformation+4487

      Of course, this is probably because the exploit was designed to crash MS Word in the first place, not execute arbitrary code.
      • by QuantumG ( 50515 ) *
        Doesn't really match up with this stack trace though does it?

        Fatal exception: Signal 6
        Stack: /usr/lib/openoffice/program/libuno_sal.so.3[0xb754 651f] /usr/lib/openoffice/program/libuno_sal.so.3[0xb754 683f] /usr/lib/openoffice/program/libuno_sal.so.3[0xb754 68dd]
        [0xffffe420] /lib/tls/i686/cmov/libc.so.6(abort+0xe9)[0xb6f7a2b 9] /usr/lib/openoffice/program/libvcl680li.so[0xb7f5d a0b] /usr/lib/openoffice/program/libvcl680li.so(_ZN11Ap plication5AbortERK6String+0x17)[0xb7dbbf53] /usr/lib/openoffice/program/sof
    • by Rupan ( 723469 ) on Thursday December 14, 2006 @08:00PM (#17247726) Homepage
      This is actually quite scary considering the size of Office documents. Store the executable code embedded in the metadata where user-supplied text would normally exist, using a nop slide of several kilobytes at the start. You have at least 26 kilobytes after all... imagine what could be done with 10k of executable code.
    • Can confirm at least freezing (no segfault yet) on OOo 2.0.3 on FreeBSD
    • by TheLink ( 130905 )
      Whoopee OpenOffice is getting more and more compatible with MS Office by the day... ;)

      But as long as people write most of their complex stuff in C or C++ this will keep happening.

      People should switch to programming languages and frameworks that just won't run "arbitrary code of an attacker's choice" when something exceptional occurs.

      After all these decades aren't there any easy to learn, safe and fast programming languages?
      • by ceoyoyo ( 59147 )
        Pick any two. Well, no, pick either of the last two. You might get the first one as a bonus.
      • Re: (Score:3, Insightful)

        by TigerNut ( 718742 )
        You can't fault the programming language. The problem is in the application if it doesn't check buffer size against how much data is being read; it's in the OS if the problem is occurring when the application does a system call of some sort and is compromised in the process.

        However... it looks like there are Oo.org users digging into that side of the problem. Probably they'll have an accurate synopsis of the failure mechanism and a patch on the way in a few days. Unfortunately we can't say the same (with th
        • by TheLink ( 130905 )
          Uh if that happens then the language used is obviously unsafe.

          Next you'll be telling me it's not the fault of a computer system (O/S + hardware) if user A's processes can change the memory contents of user B's processes, and it's actually a problem in the application... Who wants to do cooperative multitasking and memory management nowadays?

          Why should potentially arbitrary code be executed because a program tries to put data somewhere it won't fit? Sure there should be an error and things could go wrong (e.
          • C++ (Score:4, Insightful)

            by Z34107 ( 925136 ) on Friday December 15, 2006 @12:33AM (#17250542)

            Uh if that happens then the language used is obviously unsafe.

            The language isn't "unsafe" - it just lets you do some very, very nifty stuff that noobtard programmers are better off leaving alone.

            C++ has perfectly "safe" features - the Standard Template Library has container classes like strings and vectors that won't overflow no matter how careless you are.

            For those who insist on going down to the byte level and concatenating their strings themselves, Microsoft included "safe" versions of these functions in Visual Studio 2005, and will compile with warnings if you use the dangerous, buffer-overrun-producing variants.

            Why should potentially arbitrary code be executed because a program tries to put data somewhere it won't fit?

            Because a hacker's input and a programmer's overconfidence in his manual input validation (or lack thereof) put the hacker's code over the program itself. It fit just fine where the still-running program used to be.

            This can happen in any language - C++ programmers are simply notoriously bad at input validation.

      • by Z34107 ( 925136 )

        People should switch to programming languages and frameworks that just won't run "arbitrary code of an attacker's choice" when something exceptional occurs.

        No matter how many different levels of indirection you have, eventually your code turns into instructions and raw bytes that get crunched by the CPU.

        All that changing to a slower and inferior (but easier to program!) language does is add another point of weakness: you can exploit program code or the framework code.

        [goofymetaphor]Languages like Jav

        • by TheLink ( 130905 )
          Sure, there'll always be a place for unsafe languages but most programmers shouldn't be using C++ (or C) - there's plenty of evidence that they obviously don't know how to write safe C++. Just look at Bugtraq every day.

          As for the raw bytes, fine for my code to get turned into instructions, but not fine for an attacker's arbitrary _data_ to somehow being treated as raw instructions.

          Why is it _still_ so common for function parameters/data to be pushed onto stacks that are also used for program counters (retur
          • by Z34107 ( 925136 )

            Why is it _still_ so common for function parameters/data to be pushed onto stacks that are also used for program counters (return addresses)? It's a stupid idea for modern computers - bad hygiene (poorly controlled mixing of code and data).

            First of all, the program counter (or instruction pointer) is the register where the address of the next instruction is stored. The return address is where your program was before it called your function.

            Unless you write your program in one giant function, you will

            • by TheLink ( 130905 )
              I guess I wasn't clear, but I was saying apps can have two stacks, one stack for return addresses and one for parameters. Even if you clobber the parameter stack, you won't clobber the return address stack without the CPU detecting it automatically.

              Why I said one stack for program counters: In loose terms, for a subroutine call the cpu pushes the value of the program counter onto the stack, and then changes the program counter to the new address. The return command just pops the program counter off the stac
  • Someof these bugs can penetrate macs, but is there an actual exploit the pentration on macs? For just one or all three?

    Are these fully macro virsues or are these actual binary executables being injected?

    If we have binary executables being injected by some sort of buffer overrun, then I wonder what happen on intel macs. Does the exploit inject i86 code or ppc code. Does Rosetta run the PPC injection or does the i86 injection run on it's own.

    • Microsoft Word malformed pointer vulnerability

      Overview

      A vulnerability in Microsoft Word could allow an attacker to compromise a vulnerable system.

      I. Description

      Data used by Microsoft Word to construct a destination address for a memory copy routine is embedded within a Word document itself. If an attacker constructs a Word document with a specially crafted value used to build this destination address, then that attacker may be able to overwrite arbitrary memory. An attacker could trigger this vulner

    • by NadNad ( 550015 )
      Rosetta only kicks in when a binary is started. Once a binary is running, it's stuck in whatever CPU mode it began...an intel-native executable cannot load a ppc shared-library module at all. So need to have a universal-binary exploit if one wants to hit both ppc and i386.
  • there is add for TechNet Security Center on that page
    http://www.microsoft.com/technet/security/default. mspx [microsoft.com]
  • Fairly alarming that a simple document meant to basically contain text, can launch code on an OS.

    How long before someone turns this into an actual feature? Open an attachment in an Email, and launch an app to install something on the machine imbedded in the email itself? I could almost see this as usefull in a business atmosphere.

    Just dont sign me up to work in their IT department. Oh god the horror that could (would) cause.
  • by kbob88 ( 951258 ) on Thursday December 14, 2006 @08:00PM (#17247722)
    Microsoft suggests that users "do not open or save Word files,"
    I really like this quote! That kind of limits the functionality of a word processor if you can't open or save files, right?

    What exactly does Microsoft suggest that I do with Word files? Besides using them to fragment my hard-disk? Maybe I can burn them to keep warm in the winter... um, no.

    Or perhaps I'll just use Word to create and save HTML files!!
  • by ZahnRosen ( 1040004 ) on Thursday December 14, 2006 @08:24PM (#17247956) Homepage
    This goes under the category of basic internet security. Don't open files from people you don't know. And if you do get a wierd file from someone you don't know stop and think for 10 seconds about it before you open it. Or, buy a mac.
    • Re: (Score:3, Informative)

      Network World reports that the exploit is being used in targeted attacks, for which the source and subject line could be made to appear plausible. If the spoofed From line is one of your coworkers's addresses, and the subject is something of current interest in the company, it would be easy to get fooled.

      How will buying a Mac help unless the team that coding Office for the Mac was much more security-conscious than the team that coded Office for Windows? The one thing that Mac has going for it is a good impl
    • by TheLink ( 130905 )
      Uh, a dangerous file is still a dangerous file whether it comes from a stranger or someone you know. It's not like you can only catch diseases from strangers ;).

      Macs are not more secure by design, so if everyone bought a mac, their computers would be worm infested spam spreading zombies in no time. If you are a Mac user and you want to be safe, stay a minority.

      A safe way to open a suspicious file is to use a different pristine machine and reimage that machine after that. Virtual machines might be ok but the
  • Biggest problem with this sort of exploit, is it gets under the radar of people who actually know not to open executables etc that are sent to them - but a document? Unless they are aware of this emploit being "out there" people will recieve an email with "teh funny.doc", "invite to my birthday.doc" or "pics of brittany + paris.doc" and double click without thinking. Boom - instant zombie machine.

    So all those family, friends and colleagues who you've (finally) trained not to open funny.exe or funny.scr a
  • by __aaijsn7246 ( 86192 ) on Thursday December 14, 2006 @08:30PM (#17248018)
    http://en.wikipedia.org/wiki/Milw0rm [wikipedia.org]

    milw0rm is a group of "hacktivists" best known for penetrating the computers of the Bhabha Atomic Research Centre (BARC) in Bombay, the primary nuclear research facility of India, on June 3, 1998. The attack generated heated debate on the security of information in a world prevalent with countries developing nuclear weapons, the ethics of "hacker activists" or "hacktivists," and the importance of advanced security measures in a modern world filled with teenagers willing and able to break into insecure international websites.
    • From the same Wikipedia article References section:

      ( www.milw0rm.com ) Security site ran by no former milw0rm members
  • Upside:

    Familar user interface
    Fast
    Cheap
    WYSIWYG

    Downsides:

    Replacing blocks of text with larger-sized blocks of text difficult to impossible.
    Cut-and-paste is messy, literally.
    No automated search.

    My Word Processor [sbac.edu]
    • I've tried using that, but everyone always complained that my messages were corrupted and unreadable.
  • Goddamn it (Score:4, Interesting)

    by spellraiser ( 764337 ) on Thursday December 14, 2006 @08:34PM (#17248066) Journal

    From TFA:

    "Data used by Microsoft Word to construct a destination address for a memory copy routine is embedded within a Word document itself. If an attacker constructs a Word document with a specially crafted value used to build this destination address, then that attacker may be able to overwrite arbitrary memory," the US-CERT warned.

    So yet again it's a case of embedded code within a data file wreaking havoc. And as already been reported in comments here, this vulnerability also exists in OO.org.

    Seeing this kind of thing always blows my mind. I would be greatly interested in hearing the rationale behind the decision to incorporate this feature. What the hell did they need that for?

    • So they can spy on the user. If the holes are there by design,
      it would make sense there are other holes that have yet to
      be discovered.
    • >Data used by Microsoft Word to construct a destination address for a memory copy routine

      I can't wait to find out what this means. Every file format that creates data structures has "data used ... to construct a destination address", in an indirect sense.
    • Re:Goddamn it (Score:4, Interesting)

      by cascadingstylesheet ( 140919 ) on Friday December 15, 2006 @09:30AM (#17254582) Journal
      >So yet again it's a case of embedded code within a data
      >file wreaking havoc.
      >...
      >What the hell did they need that for?

      I don't know about the new XML-ish version, but the old DOC
      "format" was basically a Word memory dump. Not
      quite as surprising when you think of it that way ...
  • Why all these exploits now with applications that have been around for over seven years ??!!
    I mean if the latest version of word had a newly discovered bug, ok...move along, nothing to see here...
    But an exploit that can affect all three version of word (2000, 2002,2003)??!!
    Oh sorry, up to three now aren't we....in the same month....

    I smell a rat...
    And I'll notice the Tail when Word 2007 is declared void of these exploits..
    Call me paranoid, but at least just call me...
    I'm glad I no longer work as MS Phone Su
  • as is the case on many machines out there.

    I wonder if a properly crafted email could launch this one simply by clicking "Reply". Insights, anyone?
  • abiword opens it as a blank file with a funny page dimension

    Openoffice complains about not enough memory to open the file and doesn't even try to open it
  • ....and quarantined the .doc demonstration file. Not much of a zero-day exploit....
  • Does NX cause Word to crash instead of run a worm with this exploit?

    Melissa
  • Unbelievable (Score:4, Insightful)

    by AftanGustur ( 7715 ) on Friday December 15, 2006 @04:26AM (#17252162) Homepage

    "Data used by Microsoft Word to construct a destination address for a memory copy routine is embedded within a Word document itself."

    If this is a standard practice at Microsoft, I'm beginning to understand why they are so relunctant to publish their protocols and standards.

Genius is ten percent inspiration and fifty percent capital gains.

Working...