Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
Security IT

MS Office Zero-Day Under Attack 172

paulBarbs writes "Microsoft is warning users to be on the lookout for suspicious Excel files that arrive unexpectedly — even if they come from a co-worker's e-mail address. In an advisory, Microsoft confirmed a new wave of limited "zero-day" attacks was underway, using a code execution flaw in its Microsoft Office desktop productivity suite. Although .xls files are currently being used to launch the spear phishing attacks, Microsoft said users of other Office applications (Word, PowerPoint, Outlook, Access, etc.) are potentially at risk."
This discussion has been archived. No new comments can be posted.

MS Office Zero-Day Under Attack

Comments Filter:
  • by HomelessInLaJolla ( 1026842 ) * <lajollahomeless@hotmail.com> on Sunday February 04, 2007 @06:56PM (#17883820) Homepage Journal
    Dear Exploit,

    How old are you? How long have you been available in the wild? How long did your brother exist in SP1 before you came along in SP2? Do you have a cousin which works in Win98/SE? How long have corporate managers been using you to spy on their employees?

    Signed,

    Secret Admirer
  • by Anonymous Coward
    How many more exploits will we need to encounter with Microsoft products before people realize that it's just not worth it to use such flawed software?

    I would have thought that businesses would be the first to learn. They are the ones who tend to be the most affected by situations like this, especially when hundreds or thousands of Windows-based computers on their internal networks become compromised. It costs them a lot of money to clean up those systems.

    Of course, such expenditure could have been prevente
    • Re: (Score:2, Funny)

      by Anonymous Coward
      Well, in Microsoft's defense, the next version of Windows is going to be even more secure! Stick with us, because we care, damn it! Honest! I swear!

      . .. and if anyone disagrees, I will throw a chair at them to prove just how much we care!

      Signed,

      Ballmer
    • by Technician ( 215283 ) on Sunday February 04, 2007 @07:45PM (#17884158)

      I would have thought that businesses would be the first to learn. They are the ones who tend to be the most affected by situations like this, especially when hundreds or thousands of Windows-based computers on their internal networks become compromised. It costs them a lot of money to clean up those systems.


      At my place of employment (100% MS shop) they have had too many of these kinds of problems. As a solution, all attachments are filtered and removed. It it was an attachment we were expecting, then we could apply to recieve the attachment unless it is an executable. To send an executable file (including MS documents) we are advised to send them as encrypted zip files.

      I don't expect this exploit of the week to be much of an issue for us Monday morning except for a couple road warriers who may have gotten it from home.
      • by rahrens ( 939941 )
        The Agency I work for filters and blocks .zip files, too. They have proven to contain harmful executables in past malware attacks, too.
        • The Agency I work for filters and blocks .zip files, too. They have proven to contain harmful executables in past malware attacks, too.

          I wasn't very clear.. We filter ALL attachments including zip files. Un-encrypted is deleted. Encrypted is held and can be requested if you were expecting it.

          We know about the short note telling you how to use this password to decrypt the attached encrypted zip. It was a hack to get past filters. It is still a way to get past filters, but with the additional step of con
          • by Fred_A ( 10934 )
            So you have to first send a postcard with the password and the hash to the zip file and then email the zip file ?

            I'm so glad I don't work with large corps any more. This is getting completely insane. The people I switched to FOSS desktops don't know how happy they ought to be...

            Reminds me of that Dilbert strip where the PHB sent some file to someone then instructed his secretary to fax a copy as well "in case he didn't read his mail" and then to snail mail a printout "so that he'd have a clean copy".
      • by Beer_Smurf ( 700116 ) on Monday February 05, 2007 @01:42AM (#17886576) Homepage
        We use a system that is so hosed that we smash every computer with a hammer before it comes in the door.
        Great.
      • To send an executable file (including MS documents) we are advised to send them as encrypted zip files.
        What the fuck? Why not just eliminate ALL these problems by requiring the use of PGP internally? Enigmail is absurdly easy to use, and I'm sure there are plugins even for Outlook.
    • by Jessta ( 666101 ) on Sunday February 04, 2007 @08:49PM (#17884624) Homepage
      You obviously aren't paying attention.
      There have been many security flaws reported for OpenOffice.

      The problem is not Microsoft specific. It's a problem with overly complex software. Word processors are overly complex which means that there is a lot of code that can contain errors. Most users don't use the full functionality of the software and therefore don't require it to be so complex.

      One of the great advantages of gentoo(and other source based package management) is that you can leave out functionality in a program that you're not going to use. This means less code that can be exploited.

      • Re: (Score:3, Insightful)

        by LeDopore ( 898286 )
        Serious question: "How many gentoo users actually DO hand pick the features they compile?" My guess is that:

        1 It might be hard to know what you can safely leave out of a compile and not break anything
        2 It's difficult to foresee every function you are going to want in a program at compile-time, even if you're familiar with it
        3 There are so many programs on a typical Linux box that to hand-choose modules for them all would take ages.

        I guess in some environments (like cash register systems) you're doing only
        • by Jessta ( 666101 )
          That is true. The php ebuild has a scary number of use flags.
          I guess that's a problem that needs solving.
          A nice module loader, like in the linux kernel would be nice but having it automatically load required modules wouldn't solve the problem. So users would need to know what modules they needed loaded.

          I'm still amazed at the size and complexity of office related programs.

          • I'm still amazed at the size and complexity of office related programs.

            You shouldn't be, really. After all, it's perfectly logical. The number of features is a selling argument for a word processor that needs to compete not only against other products but also its own earlier versions. That's why the number of features - and thus complexity - can only ever grow.

            What I'd like to see is something completely different, a document making system that would cleanly separate content and presentation, a bit l

      • by rifter ( 147452 )

        The problem is not Microsoft specific. It's a problem with overly complex software. Word processors are overly complex which means that there is a lot of code that can contain errors. Most users don't use the full functionality of the software and therefore don't require it to be so complex.

        I never saw the point of allowing scripting within word processing documents, for instance. It violates the fundamental premise of seperating code from data. It was bound to cause problems, it has, and it pretty much

        • by Jessta ( 666101 )
          I never saw the point of allowing scripting within word processing documents
          It's about making MS Office a development platform, which to me sounds really expensive. At $700 AUD per user before you even start development, it's not very competitively priced.
  • what? (Score:5, Funny)

    by macadamia_harold ( 947445 ) on Sunday February 04, 2007 @06:58PM (#17883838) Homepage
    MS Office Zero-Day Under Attack

    *rereads headline* what?
  • by product byproduct ( 628318 ) on Sunday February 04, 2007 @07:02PM (#17883858)
    to protect myself against 0-day attacks.
  • by ThinkFr33ly ( 902481 ) on Sunday February 04, 2007 @07:04PM (#17883876)
    The fact that this does not affect Office 2007 suggests that Microsoft is learning from their mistakes.

    This is further supported by other software they have released that went throught their "secure development lifecycle [microsoft.com]" initiative, including IIS 6.0, IIS 7.0, Windows Vista, Windows Server 2003, etc.

    Of course, IIS 7 and Vista have only been out there for a few months now... so, obviously, the jury is still out on them.
    • by Anonymous Coward
      Do we know for sure that Office 2007 is not affected? Without the source code being available to us under an open source license, I don't think we can, as a community, safely say that it is not affected. All we can do is speculate, or blindly trust Microsoft if they say it's not affected.

      • by DelawareBoy ( 757170 ) on Sunday February 04, 2007 @08:08PM (#17884276)
        If you follow that logic, anything not open source is open to that vulnerability, Microsoft or not...

        However, if you actually try the code which does impact Office 2003 and earlier additions, it does NOT work. Makes me glad I got my free copy of Office 2007.
        • by zCyl ( 14362 )

          Makes me glad I got my free copy of Office 2007.
          Uh huh. I bet the exploit doesn't work on my free copy of Open Office either. :-P
    • True. O'07 is in the 0-15 day section. It'll take the original exploit author a few more days to track down the new memory location, recompile, and test. Maybe the new memory location floats. That might take another day or two to peruse the proper .dll and determine the floating method.
      • by cnettel ( 836611 )
        From the article, it's not just that it fails to work in O2007, it's stated that it's not vulnerable. I'm pretty sure that the current file won't work on Office 2004 for Mac, but that's still listed as vulnerable. If they're consistent, the codepath is really fixed/changed in the new version.

        Anyway, I'm surprised to see Access in the list of "possibly vulnerable". I guess it might be some part of the VBA parsing, since, except for that, lots of the file logic is different (the databases are not compound OL

        • You didn't read far enough

          Load KERNEL32.DLL using a hardcoded address specific to Windows XP Service Pack 2. On other versions of Windows, Excel will simply crash

          All of the other actions listed in the exploit sequence seem to be legitimate actions which, unless Microsoft wants to rewrite legitimate function calls or handle the "XOR shellcode" on a case by case basis (apparently, if it's allowed, there was/is a legitimate use for it someplace), cannot be blocked without creating major compatibility/useability issues for legit users.

          If the exploit can be written for one hardcoded address, which can be found, then it can be written for any ha

    • > The fact that this does not affect Office 2007 suggests that Microsoft
      > is learning from their mistakes.

      Not really. It also may be that nobody targets bugs in these products yet.

      FreeDOS also has not many known vulnerabities. ;)
    • by fermion ( 181285 )
      The fact that this does not effect MS Office 2007 merely indicates that MS has closed previously exploitable holes, and the pros have not had time to package current exploits into the framework needed by the script kiddies. Even if we see fewer attacks in the future, that could still mean several different things. It could mean that MS Office 2007 is more secure. It could mean a growing competence by users to compensate for MS failure to provide a secure system. Or it could mean that such exploits have
      • The fact that this does not effect MS Office 2007 merely indicates that MS has closed previously exploitable holes

        Actually, that's probably not the case here. If Microsoft knew about this particular hole, they would have issued a patch for in for previous versions. They probably had no idea about this hole. The reason it doesn't affect Office 2007 is probably because Office 2007's basic approach to handling documents is different from previous versions. They treat all documents as potential threats. In other words, the secure development lifecycle made Office a more secure product, and this prevented a previously unkn

  • by Anonymous Coward
    The other day, Bill Gates suggested to Newsweek the the Mac is super-insecure due to lack of code base drama within Mac OS X:

    The number [of Vista security flaws] will be way less because we've done some dramatic things in the code base. Apple hasn't done any of those things.

    He was so right. It is time for Mac users to upgrade to Vista, after all, TFA says:

    Confirmed vulnerable: [...]Office 2004 v. X for Mac.

    There you have it fanboyz... CMD-. your life away! Vista all the way baby!

  • After all these years, the same software bugs seem to continually crop up. I guess that no currently available platform is safe but can't we do better? It has been 2 decades of worrying about viruses, worms,trojans, format string errors, buffer overflows, etc. Microsoft was a latecomer to the "make software secure" game but it has been about 5 years now and the song remains the same. So, my question is, who's doing it right and how ?
    • > So, my question is, who's doing it right and how ?

      Code has become so enormous that the answer is, more than likely, nobody.

      I'm still puzzled. Spreadsheet programs, word processors, database programs, etc. etc. etc. all fit on one, maybe two, floppy disks at one time. If anyone wonders how to write secure code the largest starting point is: cut out the advertising glitz and cruft.

      But then the rest of the population would happily go back to sticky notes, $2.99 calculators, pencils, the telephone, US Mail, and the kitchen table (for solitaire) and that wouldn't be profitable for the market sector. So, love it or hate it, just view the security industry not as a problem to be solved but as a tiger to be fed and groomed.
      • by cnettel ( 836611 )
        Well, I think you'll find that apps of that era were NOT resilient to malformed input. Maybe we could get them right if we aimed for the same functionality now, but I almost doubt it. (Well: if you put a workforce equivalent to the complete Excel team onto making a console app with the functionality of the original 1-2-3, I guess they could make it reasonable safe. At least until you press some F key to recalculate.)
        • > apps of that era were NOT resilient to malformed input

          What? Again I say, what?

          Apps of that era only had 8-bit character sets to deal with. Malformed input was so much easier to check for. Not that the expanded character sets of today are any real excuse but still, again I saw, what?
    • by flyingfsck ( 986395 ) on Sunday February 04, 2007 @08:30PM (#17884448)
      MS wrote loads of stuff with C++ and the C stings library especially, is total crap. Also, with C++, it is fundamentally impossible to know when it is safe to destroy an object and free its memory. MS is therefore suffering from a bad choice of compiler and coding methods years ago. Their problems won't go away anytime soon.
    • Lisp, J, O'caml, Erlang, Smalltalk all look like safe languages to write in. And yes, they have operating [wikipedia.org] systems [common-lisp.net] in Lisp.
    • by pe1chl ( 90186 )
      There are a couple of things that you can do to avoid this kind of mishap:

      - office workers should not work under an account with administrator privileges. when applications exist in the company that require administrator rights, they should be phased out. there is no excuse for still having such bad program code around in 2007.

      - the user account being used should not have write permission in directories like /windows /program files etc. in our systems, the only directory with write permission is the user
  • by len_p ( 782308 )
    I'll open the XLS file in OpenOffice. I use Linux anyway :) Len [www.len.ro]
  • Maybe this is related to Bill Gates' recent comments, saying he dares someone to do to Microsoft what has recently happened with OS X and zero-days. Careful what you wish for. http://apple.slashdot.org/article.pl?sid=07/02/02/ 1940232 [slashdot.org]
  • I'm shocked that Billy Joel needed a vocoder to perform the national anthem at the superbowl
  • by zappepcs ( 820751 ) on Sunday February 04, 2007 @07:23PM (#17884000) Journal
    Lately we've seen memos and emails suggesting just how far MS is willing to go, perhaps in the future we'll see emails or memos describing how malicious software was released into the wild to help people decide to buy the new 2007 applications to go with their new Vista PCs?
    • You can embed excel spreadsheets in Office, PowerPoint, even a simple html file.

      I wonder if this exploit is specific to files with the .xls extension? or is it a just an exploit that requires excel to load.

      If it's the latter, that's a much bigger problem than the former, especially considering the fact that you can embed spreadsheets in html.
  • Glad I switched (Score:3, Interesting)

    by AlphaLop ( 930759 ) on Sunday February 04, 2007 @07:30PM (#17884046)
    I am so glad I switched to open office. Now whenever one of these things happens I send the article to my friends along with a link for OpenOffice
    • by mccalli ( 323026 ) on Sunday February 04, 2007 @08:08PM (#17884274) Homepage
      I am so glad I switched to open office. Now whenever one of these things happens I send the article to my friends along with a link for OpenOffice

      Do you send links to any of these OpenOffice vulnerabilities [google.co.uk] as well?

      Cheers,
      Ian
      • by caseih ( 160668 )
        Vulnerabilities in OO.org notwithstanding, a few things we must keep in mind: The cost of getting the latest openoffice? Do you need a "genuine" copy of OpenOffice to qualify for patches? Seems like OpenOffice, for all its warts, still comes out ahead in this one area. For home users, this can be a huge point. Of course, the underlying OS (as of windows XP) is still a huge security problem, despite using firefox and oo.org.
      • by smoker2 ( 750216 )
        Interesting how most of those results are announcing *patches* for OO vulnerabilities, and the OO on MS contingent is by far the biggest proportion anyway.
  • who thought of the grunt voice from Warcraft II when they read the headline.
  • Mac vulnerable? (Score:3, Interesting)

    by Angostura ( 703910 ) on Sunday February 04, 2007 @07:53PM (#17884192)
    That's odd - the advisory suggests that Mac Office v.x and 2004 are vulnerable, but that certainly doesn't chime with the mechanism quoted. What's going on here?
    • Bill Gates is right! Apple are lying to everyone about how secure their OS is!

      It's really vulnerable to all the same problems as Windows, and this is proof.
      Absolute irrefutable proof from an utterly incorruptible independent source!
  • ... look how pretty Ribbon is!
  • by suv4x4 ( 956391 ) on Sunday February 04, 2007 @08:08PM (#17884280)
    I fail to see why posts talking about vulnerabilities in widely used software is tagged "haha". Is it really so funny?

    The zombies that will result from those attacks will send spam even to your tricked out Linux PC. You're laughing at your own expense. Have fun.
  • The Irony (Score:5, Funny)

    by Tom ( 822 ) on Monday February 05, 2007 @05:54AM (#17887704) Homepage Journal
    Hi Bill. Didn't you just brag about windos security [slashdot.org]?

    I dare anybody to do that once a month on the Windows machine.
    February: check

Computer programs expand so as to fill the core available.

Working...