Word Vulnerability Compromised US State Dept. 207
hf256 writes "Apparently hackers using an undisclosed (at the time) vulnerability compromised the State Departments network using a Word document sent as an email attachment. Investigators found multiple instances of infection, informed Microsoft, then had to sever internet connectivity to avoid leaking too much data!"
Great news for open formats (Score:5, Insightful)
Re: (Score:2, Funny)
Re:Great news for open formats (Score:5, Interesting)
Re: (Score:2, Insightful)
How come you recommend StarOffice over OpenOffice.org?...
Well, perhaps some policy forbids installing free (as in no invoice) software, or the policy requires a support contract.
Re:Great news for open formats (Score:5, Interesting)
Oh, btw, they were using that excel sheet to keep track of a fleet of buses (this co was archaic in their IT dept when I got there). A radio dispatcher was frantically telling the bus drivers there was a computer problem and to 'hold tight' for 15 minutes till I got there, then 5-10 more minutes to figure out MS file recovery wouldnt cut it, and 5 to install SO from network and fix the prob. The only serious occasion that pitted MS vs SO and the results were stark. So no Im not on Sun's payroll, but the story ought to be a commercial, and I walked out like a hero so I'm happy to tell it.
Re:Great news for open formats (Score:4, Funny)
Re:Great news for open formats (Score:4, Funny)
Tom
Re: (Score:3, Insightful)
However a new format for every feature doesn't work too well either. Perhaps an extendable document format that plainly details what features are used in the docum
Re: (Score:3, Interesting)
Re:Great news for open formats (Score:4, Insightful)
With open software, you can look at the source code and see exactly what it does and test it for all the vulnerabilities you want and get them removed, by yourself if you find yourself so talented. Only the monkeys in Redmond know what is really going on in Windows, and anyone using their products is dependent upon MS and MS only for a solution. That may come in days, weeks, but most likely months after a vulnerability is found. Meanwhile, someone ends up releasing details of the vulnerability, then codes up a nasty bug to take adavantage. The fact that MS software is so full of holes and has no real peer-review process among the general population of all possible coders interested in fixing bugs is its weakness in comparison.
Re:Great news for open formats (Score:5, Insightful)
I though even the OS community had realised by now how ridiculous this argument is. World economy would in effect come to a halt if every company and public office started to scan source codes for potential vulnerabilities. This is hardly a selling argument and being a wise-ass about it has never helped the OS movement.
Having a goal of zero vulnerabilities is such complex software as an office suite is strikes as feasible only to an ideologist nerd. In practise there will always be vulnerabilities as long as human beings will be responsible for the design and programming. And having gazillions of eyes searching through the source code presumably on the company dollar is not effective way to remove those faults.
Re:Great news for open formats (Score:5, Insightful)
What does work for me with open source is that the nature of open, distributed development tends to promote code modularity, which helps keep those defect counts down. And the fact that code is publicly available exerts an influence on developers to publish code they aren't be ashamed of (unlike what happens in proprietary software development with tight deadlines set by the sales team making unrealistic promises to clients - I have been there).
However, there is a real distinction between defect-free software (probably does not exist) and software that intentionally includes back-doors. With open-source, you can have more confidence that there is no back door, spy-ware, or anything else that shouldn't be part of the application. But it certainly doesn't mean the software will be defect free.
Re: (Score:2)
Open Source Software isn't defect free.
Open Source Isn't bug free.
Not having to rely on a single point of failure --- priceless.
That point of failure can be hardware, software, or corporate--either yours or theirs. I wouldn't trust all Apple software, an all IBM software, or an all Sun software either, So why would anyone trust an All Microsoft Software? open Source doesn't come from one source. Best of all you have the tools and pieces needed so you can hire a company to patch it fo
Re: (Score:2)
a) Everyone CAN look at it (s o no backdoors will be implemented)
b) Some people actually DO look at it (so more bugs tend to be found by a wider audience, more quickly).
c) Many WOULD look at it if they needed to (a really urgent issue can be solved locally if need be).
So yes, of course Open Source is good if you want safer software.
Michael
Re: (Score:2)
b) is also an incorrect conclusion. See the year and a half before finding the hard coded password in Interbase, and the exploitable double free that was in zlib for several years
Re: (Score:3, Insightful)
Actually, I would say a)'s conclusion was correct (and yes I'm familiar with the attack you mentioned). The poster did not say "no backdoors can exist in the software", but "no backdoors will be implemented". Assuming the poster meant "no backdoors will be implemented in the software being examined", I would say it is a correct statement -- there i
Re: (Score:2)
Re: (Score:2)
Why? (Score:2)
Re: (Score:3, Insightful)
And unquestionably OpenOffice is immune to parsing [secunia.com] errors [secunia.com].
Hmmm...hackers (Score:5, Funny)
Re: (Score:2, Funny)
Re: (Score:2)
Quick (Score:4, Funny)
Re:Quick (Score:5, Insightful)
Re:Quick (Score:5, Funny)
Emacs
*ducks and runs*
Emacs (Score:2)
Richard Stallman is giving his "Copyright and Community in the age of computer networks" lecture at Johns Hopkins tomorrow morning. For anyone who's heard it already: worth taking an early lunch to go hear? How long does it run?
Re: (Score:3, Funny)
Re: (Score:2, Funny)
Re: (Score:3, Funny)
Re: (Score:3, Funny)
I type OpenOffice.org Writer XML in VI... In the format's ZIP-compressed form!
Re: (Score:2)
Re: (Score:2)
Scary (Score:5, Insightful)
Re:Scary (Score:5, Insightful)
Of course this is a popular article because it's more evidence of how Microsoft's 'professional' products are so amateurish, but you're right, you can't tell thousands of people not to open an attachment.
The root of the problem doesn't lie in Word documents, or Word for Windows. The problem lies in Windows, period. The operating system is practically incapable of separating important and sensitive data from junk-mail and untrusted documents from the outside. In such a place as the State Department, it's scandalous.
Whilst hypothetically, Linux is also vulnerable (eg: through some flaw in Open Office), a properly configured system could protect itself without needing to rely on the end user to manually screen every bit of junk they come across. Sure there would potentially have been some corruption of data, maybe some low level leakage, but really, this all points to a hopelessly overcomplicated and poorly designed OS. Naughty Bill!
Re: (Score:3, Interesting)
A properly configured windows system is as secure as a properly configured linux system (well, in this case anyway!). And in case your wondering: If our helpdesk can't solve the issue within 15 minutes the PC is re-imaged no questions asked no data saved. People store stuff on network ser
Re:Scary (Score:5, Insightful)
Christ on a stick! That's a bloody good reason to hide EVERY problem from the IT Nazis.
Does anyone ever get any work done?
Re:Scary (Score:5, Interesting)
It also means that we have a relativly standardised form across the board despite having PC's everywhere and very quickly weed out the users who think they're smart but aren't really.
An example of a good operator: there's a bloke over in administration who I would swear used to work in IT. He's got Open Office installed when everyone else uses Microsoft Office, he uses firefox, thunderbird and trillian for his messenger. About 500 theme packs and a few other bits of software. According to our helpdesk logging system he has only ever called once, and this was when he patched himself for the new daylight savings time last year. Everyone else had the problem as well.
Also, so that those who aren't aware know, you don't have to be a local administrator to install a network printer. Anyone hooking a printer directly to a PC in a corporate environment is either a director or an IT who has lots to learn.
Re:Scary (Score:5, Insightful)
[..]
An example of a good operator: there's a bloke over in administration who I would swear used to work in IT. He's got Open Office installed when everyone else uses Microsoft Office, he uses firefox, thunderbird and trillian for his messenger. About 500 theme packs and a few other bits of software. According to our helpdesk logging system he has only ever called once, and this was when he patched himself for the new daylight savings time last year. Everyone else had the problem as well.
I'd say that's a pretty stupid way to 'administer' your workstations... Why can these people even install all this shit themselves? How can some bloke in administration 'patch his machine' himself? And how does making them not call support because they know they won't fix your problem help with the maintenance of your network. The only thing I can see something like that heading to is an IT support department that only answers the utterly stupid requests and hardware failures. Employees just don't bother to call them because they don't want there machine re-imaged, so they just start fooling around themselves, or ask some guy like the 'bloke from administration' to 'fix' their system. Eventually that can only and in a maintenance and security nightmare.
Re: (Score:3, Interesting)
Re: (Score:2, Interesting)
Re: (Score:2)
Does anyone ever get any work done?
The IT department gets LOTS of work done! Very efficient.
Re: (Score:3, Insightful)
Does anyone ever get any work done?
Depending on your environment, that can actually be the quickest, easiest way to solve a problem.
The GP didn't explain his environment, but in a lot of larger companies you'll find things are standardised as much as is humanly possible. In IT departments, "as much as is humanly possible" quite often isn't very much, so reimaging PCs there is a PITA for all concerned.
But in a call centre
Re: (Score:2, Interesting)
It is also unmanageable by the operator. The IT does not have time to run around and help everyone when he needs to connect to a printer, for example, or install an approved, free or site-licensed piece of software. A simple XP user can't even change his own preferences in Word; a power user can't connect to a printer (but can install some software.) The XP privileges and their effects are as chaotic as they can be.
Re: (Score:3, Interesting)
not trying to excuse microsoft for their shitty product, just saying you can tell people to stop usi
Re: (Score:3, Funny)
Re:Scary (Score:5, Insightful)
Furthermore, buffer overflows could exist in just about any program. There could be one in emacs right now, triggered by reading a file into the buffer. Then it would be "scary.. The fact that a simple text file can cause such a big problem is really sad."
Unfortunately, they didn't disclose the nature of the vulnerability. "hidden software commands" in the mass media could be anything from shellcode to an executable embedded in the document, to a macro. Since Microsoft patched it, it was probably either something that autoran or an overflow.
Re:Scary (Score:5, Insightful)
Furthermore, buffer overflows could exist in just about any program. There could be one in emacs right now, triggered by reading a file into the buffer. Then it would be "scary.. The fact that a simple text file can cause such a big problem is really sad."
Nice attempt to evade the issue by raking up redundant matters. The crux of the problem here is that MS Word needs or provides Internet access for some of it's functions. Even if it had any buffer overflows, the problem would not be exploitable from remote systems.
The fact that Word is designed to occasionally talk over the internet coupled with it's hooks into the OS via things like VBA etc. is the problem. In fact, the main problem here is not Word or Office, it is the Windows architecture that is vulnerable.
Re:Scary (Score:5, Informative)
Such a thing is rather complex, and probably not pre-existing within word. It was brought in by the trojan itself.
Re: (Score:2)
Such a thing is rather complex, and probably not pre-existing within word. It was brought in by 2. the trojan itself.
1. Excuse me... how would such a call-back program be initiated, and how would it perform the desired function? Does it not mean that Word has the provision / bug of being able to initiate external programs that
Re: (Score:3, Informative)
Excuse me... how would such a call-back program be initiated,
"Shell code". Typically, a buffer overflow causes some user data (contained in Word document) to overwrite the stack, including the return address. The function in Word where this happened would thus not "return" to its intended spot (the caller), but rather to some other place in memory. This would be chosen by the attacker in such a way as to point to some place within the document. The document would contain machine-language code for the rest of the program (presumably, it would drop an exe somewhere, a
Re: (Score:2)
Nice attempt to evade the issue by raking up redundant matters. The crux of the problem here is that MS Word needs or provides Internet access for some of it's functions. Even if it had any buffer overflows, the problem would not be exploitable from remote systems.
No, I'm afraid you're completely wrong. Word is not being exploited via "network-aware" functions. The exploits are Word .doc files with particular malformed elements. Nothing to do with networks except insofar as the booby-trapped documents are transmitted to the victim via email.
Re: (Score:2, Insightful)
Runing ./configure or make or make install could cause just as large a problem. Do you read through those scripts before running them?
Of course I don't. Nobody does. But the difference is, I wouldn't run a script like that when receiving it via e-mail, unless specifically requested from the sender. Word documents are another matter. I regularly (few times a week) get them unexpected, from unknown origin, and do open them. That is because I am expecting new sales/purchase leads from new customers/suppliers - that's part of my business. And often they send their info as ms word attachment. That said, I use Linux/OOo so not much risk open
Re: (Score:2)
Running configure and make on a package from a "reputable" source is not the same as opening random documents people send you in an email. Or do you routinely have source packages mailed to you which you blindly build?
I say "reputable" because while, in theory, you could download a source package from, say, sourceforge, that someone had trojaned, there are a number of f
Re: (Score:2)
This would be found quickly by users, reported, and removed from sourceforge in short order
Why the conditional tense? Such things have already happened several times. And indeed, they've usually been located within days, but during that time, other people already have downloaded, built and run the trojaned packages.
There are high odds that, if the piece of software you are using is generally usable and of wide appeal, there are a lot of other people who use it, and the maintainers are well-known (how many big open source projects are done anonymously?)
What usually happens is that the distribution system is hacked, i.e. a third party somehow manages to slip a backdoor into a reputable program. Or maybe a minor contributor submits a "sneaky" patch that appears to fix a bug, but introduces another one using a well-placed typo. If thi
You don't read your scripts? (Score:2)
Are you suggesting I don't read all my make install and
I review my scripts for correctness every morning before I kick off my kernel recompile and take my shower.
Re: (Score:2)
I think the problem of having a problem is as bad as how easy and automated the problem can be. It isn't necessarily that a bug exist but what can be done wit
Re: (Score:2)
> Do you read through those scripts before running them?
Ok now we are getting into compiling source code and this is not what an normal user would do, even under Unix or Linux much less MS Windows. I can and do on occasions but normally try to get an "rpm" kit (Linux) but I can compile from source.
On Linux/Unix when I get source I always work as a non privileged user (myself). First I read the README then after setting u
Re: (Score:2)
Use an effective mail/document storage system.
Re:Scary (Score:4, Interesting)
FTA (which isn't entirely clear.
The mysterious State Department e-mail appeared to be legitimate and included a Microsoft Word document with material from a congressional speech related to Asian diplomacy, Reid said. By opening the document, the employee activated hidden software commands establishing what Reid described as back door communications with the hackers.
It's not clear but I wouldn't be so quick to say the employee was stupid for opening an email with out knowing the source. If it appeared legit and it was just a plain word doc with not VB scripts then it's not all his/her fault.
And why are you taking aim at governments in particular, any government corporation or single home user could have been fooled by this.
Re: (Score:2)
Re: (Score:2)
And how, short of digital signatures, would you know who sent the email? SMTP has no method to authenticate the sender, as spammers demonstrate every day. You can send a fake email with nothing more than a telnet app.
Re: (Score:2)
And how, short of digital signatures, would you know who sent the email? SMTP has no method to authenticate the sender, as spammers demonstrate every day. You can send a fake email with nothing more than a telnet app.
Nowadays, there are workarounds, such as SPF. If it passes SPF (and if SPF was properly set up by the domain being verified), you can assume with some confidence that the mail is legit.
And, in case of mails purporting to be from the government itself (as was apparently the case here...): why isn't their MTA rejecting all mails that claim to be internal but came in via the public internet rather than the VPN?
slight modification to your proposal (Score:2, Interesting)
A customer needed an instruction for how to remove the lid from a specialty box. (for field support purposes, the field guys could be morons, so better to have something from the vendor)
He calls me and asks for it, I whip something up in PDF and shoot it over to him.
He calls me
(Insert Troll Here) (Score:5, Funny)
a) It's only because MS Office has the largest market share, this could of happened to any office suite!
b) It's not a big deal, obviously the state department's IT department is incompetent.
c) Damn Hackers, always trying to ruin a good thing!
d) Macs run on Intel processors now, so they're vulnerable too!
e) This is probably because the NSA sponsors SELinux.
f) In Soviet Russia, MS Office hacks YOU!
Did I miss any?
Re: (Score:2)
Re: (Score:2)
Yes. Imagine a Beowulf Cluster of MS shills and Apple fanboys... oh wait! Isn't that Slashdot already?
Re:(Insert Troll Here) (Score:5, Funny)
Re: (Score:2, Funny)
The first is a phrase that doesn't make sense, and the second is a contraction of "could have".
Re: (Score:2)
cue 2 (kyoo) n. 1. A signal, such as a word or action, used to prompt another event in a performance, such as an actor's speech or entrance, a change in lighting, or a sound effect.
---snip---
from http://www.thefreedictionary.com/cue [thefreedictionary.com]
Re: (Score:2)
Re: (Score:3, Interesting)
Yet the same government has politicians who are nobbled by Microsoft into saying that open source is less secure because anyone can look through it for security bugs.
Re: (Score:2)
It proves a set of closed vs open source arguments (Score:5, Insightful)
2) the testing and regression doesn't have the dependency matrix that Word does, and it's likely that if there was a link, it could be both understood and remedied quickly thru an open code supply chain
3) multiple hackers (oops, I mean coders) would likely offer variances of a patch, of which perhaps several would/could be part of the subsequent 'patched' tree
4) eight weeks is a travesty, and that the State Department of the United States of America didn't have an IDF that could detect the abberant traffic is just plain malfeasant. Heads should roll.
Re:It proves a set of closed vs open source argume (Score:2)
The State Department detected its first break-in immediately, Reid said, and worked to block suspected communications with the hackers. But during its investigation, it discovered new break-ins at its Washington headquarters and other offices in eastern Asia, Reid said. At first, the hackers did not immediately appear to try stealing any U.S. government data. Authorities quietly monitored the hackers' activity, then tripwires severed Internet connections in the region after a limited amount of data was detected being stolen, Reid said.
Good Times (Score:2)
Thanks Microsoft.
Re: (Score:2)
I think this is a direct link to the article/picture [myconfinedspace.com]
Only fooling themselves (Score:5, Insightful)
If you find evidence of a break-in, its possible the attackers are also connecting in a way you haven't yet detected. Hope they know what they're doing. Given their reputation, I doubt [slashdot.org] it [slashdot.org].
The airlock is closing... (Score:4, Funny)
"Cap'n, we're having a wee bit 'o trouble in IT - we're leaking data down here like no one's bloody business - we may have to sever communications!"
"Scottie - is it really that bad...? Isn't there some alternative that will buy us more time??!! I need more time, dammit man!"
"Cap'n, I'm only a Star Fleet Engineer, not the Queen's magician..."
"Well, Engineer...see if you can pull a rabbit out of your ass and buy me five more minutes before you cut us off. That's all we need to make the jump, and after that you can cut your nuts off for all I care!"
"Aye, Cap'n...do me best - one shit-stained rabbit, com'n up - IT out!"
OS and Apps must be seperate! (Score:2, Insightful)
Microsoft has created some of the most powerful office tools by leveraging tons of existing code that wasn't exactly designed for the intended purpose.
For example, I love VBA (visual basic for applications)... it can make it very easy to turn a basic spreadsheet into a pseudo application. The problem is, VBA has too many ties to the OS.
That's where "sane" oper
Re:OS and Apps must be seperate! (Score:5, Insightful)
Re: (Score:2)
I cannot claim for certain that a similar exploit couldn't be done in a more secure, by design, operating system. Howev
Re: (Score:2)
Th
How the **** is this insightfull? (Score:4, Informative)
Are you implying that is not the case with windows??? A quick look in task manager shows some system processes running as your user account, some as "LOCAL SERVICE", some as "NETWORK SERVICE", (both restricted accounts) and some as "SYSTEM" (=root). And a quick look at top on my linux box sure doesn't show "almost all" services running as unique users.
And sure, its up to the administrator to configure it so the user account is not an administrator, but I've never seen a government system where a domain user account has local admin rights.
In the specific case of this vulnerability, the word document was able to run arbitrary executable code as the current user. This presumably allowed access to network shares, and then sending the data back out (via HTTP most likely). That sort of thing would be possible with any operating system.
The only area you are correct in is that on linux the flaw could be patched quicker... But in a large organization, it likely could still be preferable to block the exploit with IDS/firewall rules than by rolling out a client patch...
Opendoc (Score:3, Interesting)
Microsoft is Like Internet of Old (Score:5, Interesting)
So, I take it that they haven't found that... (Score:2)
Must suck to be Lenovo... (Score:5, Funny)
open formats alone won't save you (Score:3, Insightful)
In their determination to sucessfully match Office's rich features, Open Office has acquired similar vulnerabilities. One evaluation I saw some time ago concluded that Open Office was likely to be more vulnerable than Office.
If you want to be secure, run software that does what you need, and NO MORE! Rich functionality and extensibility are the attack points. Not many people want to restrict themelves to txt files or filtered html, let alone edit any longer with editors such as vi or microemacs. Due to their extensibility, pdf and postscript are suspect in the eyes of the truly paranoid, let alone the complex modern formats.
Well in my office (Score:4, Insightful)
Re: (Score:2)
oh good lord (Score:2, Interesting)
Word 2007 Flaws Are Features, Not Bugs (Score:2)
Scanning at the mail server. (Score:4, Interesting)
I wonder then, if it might be possible to scan a Word document for stuff that's not needed. Treat all dot docs that have VB in them as executables and block them out. You might go so far as to attempt intelligent analysis of the document to make sure it consists only of code that would reasonably be generated by a human being. Perform sanity checks on certain variables and so on.
I'm suprised that the dropped all internet access. (Score:2)
Most people under similar circumstances would simply upgrade their firewall ruleset and if necessary adopt alternate internal policies to allow limited connection to the internet during the crisis - especially given that it was indicated that the problems dropping the internet connection caused was significant.
Simply unplugging the pipe to circumvent an internal threat is like turning the power
Re:I'm suprised that the dropped all internet acce (Score:2)
The IT guys at my work do that to, but all they really need to do is strip off everything except text/plain. At least that way we could keep working. They probably think emailing word documents to each other is normal and can't imagine not having it.
hacker != criminal (Score:3, Insightful)
Tom
Puzzled ... (Score:3, Funny)
A fun example: A couple of years ago, a fellow hereabouts told the local linux/unix user group a funny story of how Word docs got banned at his workplace. It seems that a VP had written some missive, and decided that it was so important that everyone in the company would want to read it. So he mailed it out to everyone. It was a Word doc, and the people with unix-type workstations mostly couldn't read it, so they did the obvious thing. They fed it to the strings(1) command. The result of this isn't pretty, since it loses all the (binary) formatting and font markup, but the text was readable.
However, strings can't decode the binary stuff, and didn't know to honor the "deleted" tags on big chunks of the file. It seems that among the deleted stuff was a list of the salaries of most of the management. Ooops!
The unix users got a bit of a chuckle out of this, of course, and the news got back to the VP (and other managers) what he'd mailed out. After the inevitable finger pointing settled down, the message got through the mangers' thick skulls that Word docs can and usually do contain "deleted" stuff that hasn't actually been removed or blanked out, and any time they send someone a Word doc, they might be sending them pieces of any other Word doc that has ever been on their computer. And it's not just unix users who can read this "deleted" stuff; a clever programmer could fairly easily make it visible on Microsoft systems, too. You could just port the strings command to Windows.
So the word came down that Word docs were strictly forbidden in email. Especially email sent outside the company.
This problem is not exactly secret. Any organization that allows Word docs, or any other proprietary binary format, in emails is inviting exactly this same sort of problem. Even if you don't understand it or believe it, chances are that some of your competitors do.
It's especially astonishing that the US State Department would allow Word docs to be emailed. Don't they have any competent security people at all?
(Or maybe they do, but they are intentionally ignoring the advice of such people. That does seem to be how the US government works these days.
Re:Microsoft Logic (Score:4, Informative)
Hiring ham-fisted negotiators doesn't hurt either! (Score:2)