MS Word Zero-Day Exploit Found

subbers writes "A zero-day flaw in Microsoft Word program is being used in an active exploit by sophisticated hackers in China and Taiwan, according to warnings from anti-virus researchers. The exploit arrives as an ordinary Microsoft Word document attachment to an e-mail and drops a backdoor with rootkit features when the document is opened and the previously unknown vulnerability is triggered. From the article: 'The e-mail was written to look like an internal e-mail, including signature. It was addressed by name to the intended victim and not detected by the anti-virus software.'"

Question

[benjjj]

Would someone with more knowledge than me explain the term "zero day"?

Most of us shouldn't have to worry...

[pla]

FTA: Symantec's DeepSight team said the exploit successfully executes shellcode when it is processed by Microsoft Word 2003. The malicious file caused Microsoft Word 2000 to crash, but shellcode execution did not occur.

Wonderful! So it only affects the latest-and-greatest versions of Office. Considering that MS hasn't added anything since Office 95 (I still run '97, myself), I expect only business users on SA should ever get hit by this exploit.


Then again, I suppose this means that Microsoft has added something, at least since Office 2000... Namely, more security flaws. Woot! Way to go Billy G! "Focus more on security" indeed.

Good thing...

[DnemoniX]

Guess it is a good thing that I haven't seen enough added value to justify a move from Word 2000 to 2003 in our organization.

DEP?

[urikkiru]

Does this still work with hardware supported Data Execution Protection enabled I wonder? Just curious. Seems like the kind of thing it's supposed to trigger against. I know that with it enabled, I can't profile a visual studio project I'm working on, as the profiling app hooks into the memory of the app I'm working on. Not sure if this is a similar thing though. But still, seems like something that should be a clear separation between executable and data segments of memory.

This is nonsense!

[WhiteWolf666]

I've read comments from Microsoft trolls on at least 2 other articles saying that if I have up to date virus definitions and a working firewall I'll never experience any infection from anything like this.

Over, and over, and over, and over, and over, and over, and over, and over, and over, and over, and over, and over, and over, and over, and over, and over, and over, and over, and over, and over, and over, and over, and over, and over, and over, and over, and over, and over, and over, and over, and over, and over, and over, and over, and over, and over, and over, and over again.

How many years have y'all been virus free, boys? 5? 50? 500? Because, after all, people never get viruses when they have all the avaliable OS updates, all the AV definitions up to date, and a working firewall. Right? /flameretardant materials on. I expect the MS fanbois to be storming this article in a matter of minutes.

Re:Not overly bad, combined with some others bad.

[955301]

Forgot one thing. This is what we need IPv6 for. If everyone in the country had a distinct permanent IP for each machine, they could share their resume or other docs from their own machine, provide permission to a company to access it, then send an email with no attachment, just the url to their share.

Idiotic practice

[Anne Thwacks]

I wish to own up as having performed idiotic practices (With and without the help of Windows).

I have a PDA running WinCE, and I can only sync it with MS Active Sync if I am logged on as administrator. I really detest this. It would be so much better if each member of the family could sync their own PDA when logged in as themselves. However, Active Sync does not appear to support this. This machine has to be connected to the internet to update my WinCE apps. I suspect this makes Active Sync "goods not of merchandisable quality" in the terms of the UK "sale of Goods Act", and I am willing to participate in a class action against MS.

I only use the Windows computer for syncing my PDA. For everything else, I use FreeBSD.

Re:security?

[daern]

How about: - make sure your users don't work as administrator but under an unprivileged user account - setup the system so that this unprivileged user account cannot write in %windir% and %ProgramFiles% - build the network in such a way that programs cannot directly "connect home" but can connect to the Internet only via well-defined proxy servers - setup mail so that incoming office documents opened from mail do not open in Office but in the free Office viewers instead

...and after you do this, how long, exactly, would it be before you were lynched by your users and then sacked by your boss for stopping people from working?

Microsoft stuff ain't good, but seeing as how many, many applications still rely on being able to write to their %ProgramFiles% folder, I think this is going to make your life tricky. Unless you are personally volunteer to keep going back and fixing their PCs everytime they want a new app to run...?

Oh, but your only going to let them run the apps that *you* say they can. They'll love you for that...

Got any remote workers? Going to force them to connect through your managed proxies too? Even when not hooked to the VPN? Again, you can lock them down, but you ain't going to make any friends...

I like the idea of opening incoming docs in a viewer, but who's to say that won't have the same flaw. Oh, and what if the reviewer wants to make a quick change and email it back - pain in the arse if they have to close the viewer, save the file, open in word, edit, save, email. Much easier if you can do it straight from the original viewer...

I do understand your frustration. I really do. But for those of us that live in the real world, you've just got to grit your teeth and work with what you've got. Oh, and make sure that Microsoft feel your pain, of course... :-)

Re:Not overly bad, combined with some others bad.

[955301]

What virus infected document? The one that couldn't be emailed to me?

You mean the one that has to be sitting on a server for me to get. That document was blocked a long time ago when someone else clicked on it and IT security stopped access to the IP at the firewall to prevent further spreading from the source.

And now, since I cannot email it to someone else, the virus has to share itself on my drive and spread that link around. Only it can't because the workstation doesn't allow shares. There is a corporate share I place docs on.

So not the virus has to find the corporate share, find a directory I have access to and embed itself there. Then email others in the company. Only most others in the company don't have access to the share I have access to. So most can't open the document.

Now you've slowed it down to only spreading to the team with rights to the share using a medium which can be managed - temporarily block the share - scan for the document and remove it - turn the share back on. Other team members risk sharing with the few people they interact with from other teams, but the virus has to find which people those are from the permissions on the share versus mailing list - a sparse matrix.

Re:security?

[pe1chl]

I do understand your frustration. I really do.

I don't think so. The system at work has been running like described above for 5 years and there are no real problems. And we are not sitting shaking in our chairs waiting for the next trojan or virus.

many applications still rely on being able to write to their %ProgramFiles% folder

Mostly just hobbyist-in-a-garage stuff and telebanking applications. More serious developers have read Microsoft guidelines over the past years, especially when XP SP2 came out.
The very few exceptions can be managed using a global group and an ACL entry.

Oh, but your only going to let them run the apps that *you* say they can.

This is the basis for any managed IT environment.

Got any remote workers?

Remote workers can only work via the VPN. Because a group policy applied firewall prevents them from connecting directly to the Internet.
Via the Internet they can connect home over VPN and then back out for websurfing via the proxy. This works well.

they have to close the viewer, save the file, open in word, edit, save, email.

Maybe you need to install the viewers and have a look. They actually have a menu entry to "open this document for editing" which automatically transfers control to Office.
I actually dislike the idea of opening an attachment from a basically read-only entity like an incoming mail into a read/write application by default. Users will start editing the document and forget that it cannot be saved back to the original location.
Opening in a viewers shows the user that it is read-only document that they need to save elsewhere to edit it.

Re:security?

[NeutronCowboy]

Ah.... the old "castrate the user so that they can use Word, email and minesweeper only."

Let me give you an example: I work as a consultant. My laptop is my life. Every week, there is a chance that I'll have to install some weird VPN software on it, program demos, home grown connection programs and change my registry, firewall and connection setting so that I can properly work in the client's network. If my laptop is set up to your specifications, I'm out of my job. For the simple reason that I don't have the time necessary to propagate these change requests through the proper command structure.

Here's what can be done instead:
- make it actually possible to do daily work with a low-privilege user.
- make it easy to give yourself the necessary privileges when you do need root, admin or something similar.

What's that you say? Get a mac? Hey, tell that to my clients.

How about plain text?

[twitter]

Just a few more exploits like this and we will finally put an end to word attachments [slashdot.org]. Yes, RMS warned about viruses back then too:

Receiving Word attachments is bad for you because they can carry viruses (see http://en.wikipedia.org/wiki/Macro_virus [wikipedia.org]). Sending Word attachments is bad for you, because a Word document normally includes hidden information about the author, enabling those in the know to pry into the author's activities (maybe yours). Text that you think you deleted may still be embarrassingly present. See http://news.bbc.co.uk/2/hi/technology/3154479.stm [bbc.co.uk] for more info. But above all, sending people Word documents puts pressure on them to use Microsoft software and helps to deny them any other choice. In effect, you become a buttress of the Microsoft monopoly. This pressure is a major obstacle to the broader adoption of free software. Would you please reconsider the use of Word format for communication with other people?

Email is supposed to be collaborative. It sucks when people force others to chose between working with them and their software freedom.

Re:security?

[Tweezer]

For everyone bitching about how this is difficult, apparently you aren't very good windows admins, because this is very easy to do in an active directory environment. I have 350 users with 200+ unique apps and all but some older developer tools run without admin. I can usually setup a group policy to fix an app that requires admin in about 15 minutes. For users that have laptops in the field that may need to install something themselves, teach them to use runas. This is similar to SU and allows the users the privilege for the one process they are starting. All the spyware and virus problems go away when you do this. I haven't seen a case of spyware where I work in years and probably wont see anything soon as users can't accidentally install software.

That's not the worst part.

[Drinking Bleach]

If users have to fear opening a word processing document, something is terribly wrong with the word processor. Okay, I'll give you a break that you can't stop all buffer overflows and the such, but when the software is on the level of Microsoft Word (in terms of exploits, bugs) there needs to be some serious rethinking done inside the developers' minds.

Re:Yes. I think that pretty much exactly...

[WhiteWolf666]

Is e-mail an _english_ medium?

If you can't assume rich text, why assume _english_?

Better yet, why not send a rich e-mail (especially from a variety of applications, or in a commercial sense) that contains multiple encodings, and select the correct language based upon the recipient's lingustic settings.

No reason that iPhoto 2010 "form e-mails" containing images shouldn't contain the image metadata and a, "Hi! So and so send you these " in whatever language the client chooses.

Restricting e-mail to plaintext is no different to restricting the web to gopher. We moved on. So should you.

Re:Patch available

[xtracto]

I have yet to count the number of times I read this comments, and better yet, they always come after someone critisize the real lack of compatibility between OO.org and MS Office.

And moreover, how many Karma points does this comment gets each time, FOR THE LOVE OF GOD MODS THIS IS UTTERLY REDUNDANT!

I agree that MS Office may not be good, in fact it is a P.O.Shit, and O.O.org is nice, (though a bit slow and big) and also free, but IT IS COMPLETELY AND PURE BULLSHIT to state that it is compatible with the other
, and yes, if people want to put OOorg at the level of MS Office (as a replacement) then OOo MUST do what MSOffice does now, (as good or bad as it does it), while that does not happens just shut the fuck up and continue using your office suite while everyone else is happy using their POS. Micro$uck 0ff1ce (or however you want to call it).

yeah, sorry I just got pissed, in fact I will start with this,
THIS IS THE FIRST COMMENT SAYING THE SAME OOorg-MSOffice compatibility.