According to SANS, Hackers have been selectively targeting a previously undocumented exploit in Microsoft's Word XP and 2003 (eEye advisory says Word 2000 affected too). The exploit also affects Microsoft Outlook which uses Word as its default email editor. SANS has an updated advisory here. So far the attacks have been very targeted and the tools aren't widely available to script kiddies but it's a very serious vulnerability. Microsoft then released Advisory 919637 and warned that the vulnerability.
Microsoft so far only has some workarounds to offer. The problem is that workarounds are usually impractical and ineffective since so few people actually implement them because it takes so much manual work. For example, Microsoft tells you to do the following:
- Change Outlooks default email editor
- Only use Word in safe mode
You're basically given two ways of implementing this workaround, and that's to manually create a shortcut for Word using the "/safe" switch, or hack the registry in multiple places. The shortcut option isn't too bad because you just right click somewhere on the desktop, click on "new", and then "shortcut". Then you feed it the string:
"C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE" /safe
This is assuming you're using default location for Word 2003. I won't even get started on the registry hack because it gives me a headache just looking at it. Microsoft did offer this document on how to implement registry changes but it's quite long and scary. To make things worse, there are some serious limitations in running Office in safe mode and the effectiveness of the workarounds are highly dubious. For example, you're asked not to open Word documents by directly double clicking on them and instead you're suppose to open Word in safe mode first and then open the file. The chances of getting most of your users to do this is somewhere between slim and none.
Microsoft really needs to do two things; one for the short term and one for the long term. In the short term they need to provide an Office Word patch immediately but at the very least by the next monthly update. In the long term, Office really needs some special treatment like IE7+ (the version of Internet Explorer 7 for Vista) where IE7+ is given limited privileges. Whenever a raw office document is opened, there is no reason office needs read/write permissions to anything other than the document being opened. If a user opens a blank instance of Word, then it would be safe to allow Word to have the same permissions as the user that launched Word. This is the only way to preemptively prevent future documented and undocumented attacks.
Though malformed files aren't unique to Microsoft, Microsoft Office is ubiquitous and therefore is a huge target of opportunity for hackers. Microsoft can't afford to allow their flag ship product put customers in danger and they should take the lead in application hardening.