Microsoft Word Zero-Day Used In Targeted Attacks

wiredmikey (1824622) writes "Microsoft warned on Monday of a remote code execution vulnerability (CVE-2014-1761) in Microsoft Word 2010 that is being actively exploited in targeted attacks. If successfully exploited, an attacker could gain the same user rights as the current user, Microsoft said, noting that users whose accounts are configured to have fewer user rights on the system could be less impacted than accounts with administrative privileges. 'The vulnerability could allow remote code execution if a user opens a specially crafted RTF file using an affected version of Microsoft Word, or previews or opens a specially crafted RTF email message in Microsoft Outlook while using Microsoft Word as the email viewer,' Microsoft explained Microsoft did not share any details on the attacks that leveraged the vulnerability, but did credit Drew Hintz, Shane Huntley, and Matty Pellegrino of the Google Security Team for reporting it to Microsoft."

Wasn't RTF supposed to be minimalistic and simple?

[skids]

Last time I looked RTF (decade or so ago) was a pretty bare-bones least-common-denominator document markup specification.

Re:

[Anonymous Coward]

Wasn't RTF supposed to be minimalistic and simple?

RTF is. Word isn't.

Word is bloated, cumbersome and buggy.

Re:Wasn't RTF supposed to be minimalistic and simp

[fuzzyfuzzyfungus]

Plus OLE support. Quite a powerful capability; but one of those powerful capabilities best handled carefully, kept away from direct sunlight, protected from shocks, and otherwise treated as though it is just waiting to ruin your day.

Re:

[Bacon Bits]

Quite a powerful capability; but one of those powerful capabilities best handled carefully, kept away from direct sunlight, protected from shocks, and otherwise treated as though it is just waiting to ruin your day.

That sounds like an apt description of a computer in general. Or dynamite. Or banks. Or the government. Or beer.

Re:

[Ravaldy]

Customer wants, company gives. Doesn't matter what the risk is, short term its money in the bank. Most companies work this way. Some care more and prevent sale of a product until it's fit. Others release the product knowing it's go major flaws and leans on the ability to push firmware updates.

Re:

[symbolset]

You have been able to embed OLE objects since 1992.

Re:

[cusco]

And who in the world thinks that Word is usable as an email viewer? It's such a dreadful experience that I'm surprised that MS still offers that option in Outlook.

Re:

[SkimTony]

Offers? That's the default behaviour in Outlook through Office 2013.

Re:

[symbolset]

Office: for when you have Real Work. You know, like managing money, or social security numbers. Medical records. Industrial controls.

The question.........

[Anonymous Coward]

RTF?!

Re: The question.........

[Anonymous Coward]

RTFA

Re:

[jones_supa]

Word !!

Word, bro! You certainly deliver a powerful point there. It seems that you excel in life. If I only could make one note, it would be that I see a great outlook for your future.

Re:

[wwphx]

But only if you have the power to point to it, I can give you access if you want.

this should never have happened

[chromaexcursion]

A simple protocol, no need for system access.
Oh well, MS seems to have found a way to screw that up.

Maybe Bill should pay to fix it ...

Re:

[Anonymous Coward]

Word processing was a solved problem in 1997, but Microsoft still has to continuously "upgrade" their software to be able to sell it again. They are out of good ideas, so they end up implementing bad ideas like adding system access to a simple protocol.

Re:

[K. S. Kyosuke]

Word processing was a solved problem in 1997

Huh, if only... Unless you mean smart-typewriter-level functionality.

They are out of good ideas

They had good ideas once?

Re:

[Viol8]

"Huh, if only... Unless you mean smart-typewriter-level functionality."

You're joking , right? Were you born then or something? I managed to right a dissertation on MacWrite back in 93 without ever once thinking it needed more functionality.

Re:this should never have happened

[marsu_k]

I managed to right a dissertation on MacWrite back in 93 without ever once thinking it needed more functionality.

I'm guessing it didn't include a spell checker?

Re:this should never have happened

[inasity_rules]

No, his dissertation had obviously been overturned, and using MacWrite, he was able to right it. :D

Re:

[Viol8]

Oh very funny :o)

Re: this should never have happened

[fizzer06]

Spell check wouldn't catch that.

Re:

[CODiNE]

I managed to right a dissertation on MacWrite back in 93 without ever once thinking it needed more functionality.

I'm guessing it didn't include a spell checker?

Nor a grammar checker I'm guessing.

Re:

[jones_supa]

Word processing was a solved problem in 1997, but Microsoft still has to continuously "upgrade" their software to be able to sell it again. They are out of good ideas, so they end up implementing bad ideas like adding system access to a simple protocol.

Heh, that's pretty bad trolling attempt.

Re:

[Gunboat_Diplomat]

Word processing was a solved problem in 1997, but Microsoft still has to continuously "upgrade" their software to be able to sell it again. They are out of good ideas, so they end up implementing bad ideas like adding system access to a simple protocol.

For me, one of the absolutely most useful aspects of a word processor is to let multiple people (across teams, partners, consultants, customers, etc.) edit and comment the same document, propose changes -- with author-specific version history tracking, sidebar comments, approve/reject functionality, etc. This has improved greatly not only since 1997 but over the last few generations of Word IMHO. Problem with the "people only need and use 20% of the features of modern Office" reasoning, is that different pe

Re:

[Ravaldy]

Actually, it wasn't. Integration to sharepoint came after. May not be important to you but some businesses live off those features. You could also say the same about Excel but I can assure you that many of the enhancements made in the recent years were greatly appreciated by many businesses.

Also adaptation to new hardware capabilities came into play to allow richer content and better word processing performance. Take a document with 250 pages that includes images in Word 1997. Do the same in the new version

Re:

[Hypotensive]

It's not a protocol at all, it's a format. A protocol describes the details of an exchange between two or more parties.

Re:Block all .RTF attachments

[fuzzyfuzzyfungus]

I'm pretty sure nobody would notice or care.

The one trick (comparatively rare; but it happens at times) is that if you take an RTF document and give it a .doc suffix, Word will interact with it happily enough and I think even save it in the RTF format if you modify-and-save.

This means that if you block by suffix, a remotely clueful attacker will just fix their suffix and carry on; but if you block by format a small and fairly unpredictable subset of '.doc' files will be weeded out for reasons users will be unlikely to grasp.

This would hardly make it the most painful thing routinely inflicted on users in the name of security; but it isn't a plus.

Re:

[dissy]

I know you are just trolling, but in case anyone considers that you might sound like you know what you're taking about...

Or you could just use a god damned system that isn't riddled with malware the way everything M$ is.

No, actually "you" can't. Our ERP system that runs the company cost around 2.5 million all said and done, and it only runs on Windows.
For our industry, there are only three (3!) such ERP packages in existance, ALL of which require windows to run (Except Oracles product, which can use windows and/or work poorly in non-IE browsers, but better than nothing if you can afford them)

Do YOU plan

Re:

[wwphx]

Thank you, Dissy. My last job (and probably my next) was in a Windows environment, our ERP-that-is-not-to-be-named abused SQL Server to the point that if you unplugged the server while it was doing a payroll process, you had to load a backup from before the start: the ERP-system-never-sufficiently-cursed did not use SQL Server's transaction log, all record updates were line-by-line using cursors through an application server so that their one pustulent code base would work poorly against SQL Server, Oracle

Re:

[mlts]

It isn't the absolute best fix, but MS's EMET (Enhanced Mitigation Experience Toolkit), does stop any attacks via this route. I'm sure EMET probably breaks some apps (easily fixed by adding exceptions, and probably why this tool isn't included in the base OS), but it is worth installing and using.

The best thing about standards is

[invictusvoyd]

There are so many of them to choose from

Is LibreOffice vulnerable to the same exploit?

[mmell]

No? Okay, later.

Zero Day emacs flaw...

[hawkingradiation]

Did you know that there is a zero-day emacs flaw which allows an attacker to run arbitrary Lisp code??? Scary, I know, much less vim. If Emacs is to overtake Windows, this type of careless programming has to stop.

Re:

[MightyMartian]

I'd love to see a Lisp virus.

Re:

[Anonymous Coward]

A lisp virus is the same as a regular virus, except that you pronounce it Lithp Viruth.

Re:

[David Gerard]

How about uninstall-resistant adware written in Scheme [archive.org]?

Re:

[cold fjord]

That was fascinating. Thanks for posting it.

Re:Is LibreOffice vulnerable to the same exploit?

[RoLi]

Probably the MS-fans will think that's a problem, because LibreOffice is not "compatible".

In fact the very fact that LibreOffice is an independent implementation of the file formats is a big advantage, because it is much more robust - When you reverse-engineer something you usually cover all possibilities (of a variable, etc.) - this is also the reason why you can often open corrupted .doc files with LibreOffice.

Re:

[mmell]

How long have you been working for Microsoft?

Re:

[hobarrera]

So, FOSS software is back because you loose your UNSAVED work during a power surge? OH NO!

Ctrl+S is your friend, and always will be.

Libre office is also a gay name, further proving that FOSS developrs just don't have any style or class.

Well, if it's such a happy name, all the more reason to use it! ^_^
Devs don't need class. They just need to develop good software. Period.

Re:

[mmell]

Actually, back when it was OpenOffice they encountered this question. A known exploit which took advantage of the Word file format was replicated to allow the same exploit to work in OpenOffice. The justification (which was quite correct) was that the exploit took advantage of the file format specification, not a code bug. I.e. - the format itself was flawed, and a correct implementation of the format would not correct the design flaw.

OTOH, Microsoft doesn't own Rich Text format, and RTF is not inherent

Re:

[wwphx]

dBase III+ back in the '80s had a competitor called FoxBase. FB was crazy fast due to a very fast pre-compiler and a greatly improved indexing scheme. FB copied dBase's bugs because they had known workarounds in the programming community, and fixing the bug would break established code. Of course dBase was bought out by Borland, FB was bought out by Microsoft, and the world moved on to better implementations of the relational model.

Re:

[mmell]

Yeah, that's why I used Clipper. It turned dBase code into very excellent standalone applications, and faster than the dBase interpreter.

Re:

[wwphx]

My PHBs wouldn't spring for something like Clipper. Still, we did some pretty amazing things with FB.

Seriously these are negligent greedy schits

[Anonymous Coward]

How many years, decades even, has microsoft had the time to understand and get these issues fixed ?

They simply DONT CARE. They retain features like this for their own convenience instead of spending some of those profits on solving the problems these 'easy and vulnerable' solutions of theirs are for.

Thses problems have been identified again and again and whatever bandaids microsoft has done was not a systematic elimination.

Shoddy work with a monopoly is a bad situation and Bill Gates who set the pattern for

Whew, dodged a bullet there!

[fuzzyfuzzyfungus]

Privilege escalation is always worse than 'execute with same privileges as user'; but for primarily-end-user software the distinction seems a great deal less helpful (unlike, say, on the server, where attacks isolated to one service account or daemon are legitimately less dangerous). Joe User's security context has access to more or less his entire life in documents and ill-secured website passwords, and enough permission to plant something that will start when he next logs in in a zillion different places that he isn't likely to notice(details will vary by OS; but the only real exception would be the control-freakier mobile ones). So Joe User is screwed at either privilege level, and, from the perspective of fixing the system, conclusively proving that only user-level access was gained and the system is still secure (much less attempting to fix it if it isn't) is so much more time consuming than just nuking it and applying a fresh image that you'd only try in order to get samples of the attacker, not because it's worth the trouble on its own.

Re:

[gradinaruvasile]

Well its very true. Nowadays there are many user-level malicious programs, mostly various ransomware types which can inflict various levels of annoyances on the users.
Just imagine opening a document and "catching" cryptolocker...

Re:

[gradinaruvasile]

You mean you can decrypt the encrypted files without the decryption key?

Re:

[Himmy32]

Yep, let's believe the the AC who can crack RSA 1024 bit triple DES in 10 minutes using a debugger... But in all seriousness here's a neat blog post breaking down what the malware actually does using a couple debuggers including ollydbg before it gets to the encryption part.

Re:

[Himmy32]

Forgot the link.
http://www.antimalwarelab.com/... [antimalwarelab.com]

Why do people continue to use diseased products?

[TrentTheThief]

MS Word has been insecure since MicroShaft decided to add VBA and tie Word into the OS. Nothing but virus attacks and worms.

Why the hell do so many people continue using shit products so damned likely to infect their system?

Re:

[TrentTheThief]

I don't remember the DOS version being particularly insecure.

Re:

[TrentTheThief]

You send actual Word documents outside your control? Thanks asking for trouble. Send a PDF.

Re:

[TrentTheThief]

LOL. Get ye back under your bridge.

Re:

[WaffleMonster]

MS Word has been insecure since MicroShaft decided to add VBA and tie Word into the OS. Nothing but virus attacks and worms.

Why the hell do so many people continue using shit products so damned likely to infect their system?

File -> Options -> Trust Center ... First thing any sane person should do after installing word is turn off all macros and activex/vba without notification.

Most security professionals consider MS the bar

[walterbyrd]

> "Most security professionals consider Microsoft the bar every other vendor should strive to meet."

Computerworld said it, so it must be true.

http://www.computerworld.com/s/article/9246837/Perspective_Microsoft_risks_security_reputation_ruin_by_retiring_XP?pageNumber=2

Re:

[dunkindave]

They're right, if you are not above the Microsoft bar, you should get out of the business.

More interesting

[kilodelta]

Is that Google is the one exposin the flaws in Microsoft office. I've recently ditched all things Microsoft. Went over to the dark side, Ubuntu. Why not? It has all the applications and functionality I had on my ancient XP laptop plus a whole lot more. Plus it comes bundled with Firefox and Thunderbird which I was using on my XP box to begin with. All I had to do was copy over my documents, music and profiles for both and I got everything back. And Libre office has come a very long way. Plus I have my NNTP

Re:

[account_deleted]

Comment removed based on user account deletion