Zero-day Word Exploit still needs patch - workaround weak

Zero-day Word Exploit still needs patch - workaround weak

Summary: To make things worse, there are some serious limitations in running Office in safe mode and the effectiveness of the workarounds are highly dubious. For example, you're asked not to open Word documents by directly double clicking on them and instead you're suppose to open Word in safe mode first and then open the file. The chances of getting most of your users to do this is somewhere between slim and none.

SHARE:
TOPICS: Microsoft
93

According to SANS, Hackers have been selectively targeting a previously undocumented exploit in Microsoft's Word XP and 2003 (eEye advisory says Word 2000 affected too).  The exploit also affects Microsoft Outlook which uses Word as its default email editor.  SANS has an updated advisory here.  So far the attacks have been very targeted and the tools aren't widely available to script kiddies but it's a very serious vulnerability.  Microsoft then released Advisory 919637 and warned that the vulnerability.

Microsoft so far only has some workarounds to offer.  The problem is that workarounds are usually impractical and ineffective since so few people actually implement them because it takes so much manual work.  For example, Microsoft tells you to do the following:

  • Change Outlooks default email editor
  • Only use Word in safe mode

You're basically given two ways of implementing this workaround, and that's to manually create a shortcut for Word using the "/safe" switch, or hack the registry in multiple places.  The shortcut option isn't too bad because you just right click somewhere on the desktop, click on "new", and then "shortcut".  Then you feed it the string:

"C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE" /safe

This is assuming you're using default location for Word 2003.  I won't even get started on the registry hack because it gives me a headache just looking at it.  Microsoft did offer this document on how to implement registry changes but it's quite long and scary.  To make things worse, there are some serious limitations in running Office in safe mode and the effectiveness of the workarounds are highly dubious.  For example, you're asked not to open Word documents by directly double clicking on them and instead you're suppose to open Word in safe mode first and then open the file.  The chances of getting most of your users to do this is somewhere between slim and none.

Microsoft really needs to do two things; one for the short term and one for the long term.  In the short term they need to provide an Office Word patch immediately but at the very least by the next monthly update.  In the long term, Office really needs some special treatment like IE7+ (the version of Internet Explorer 7 for Vista) where IE7+ is given limited privileges.  Whenever a raw office document is opened, there is no reason office needs read/write permissions to anything other than the document being opened.  If a user opens a blank instance of Word, then it would be safe to allow Word to have the same permissions as the user that launched Word.  This is the only way to preemptively prevent future documented and undocumented attacks.

Though malformed files aren't unique to Microsoft, Microsoft Office is ubiquitous and therefore is a huge target of opportunity for hackers.  Microsoft can't afford to allow their flag ship product put customers in danger and they should take the lead in application hardening.

Topic: Microsoft

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

93 comments
Log in or register to join the discussion
  • My Workaround...

    Uninstall Outlook, use Lotus Notes.

    I know it's not an answer, but I thought if all the Linux Fans do it, why can't an IBMer do the same?
    nucrash
    • Insert alternative Office Suites Here

      Right after you get done removing the rest of Office.
      nucrash
    • Lotus Notes won't change a thing

      This is a Word issue, not an Outlook issue. It doesn't matter which email client is used to open the email. Once the Word attachment is opened, the payload is triggered.

      In this case, Notes will not be your savior.
      Zeppo9191
      • Outlook by default is affected too

        If you use Outlook with default settings which use Word, it's affected too.
        georgeou
    • Nothing wrong with Lotus, but it has had flaws too

      Lotus has had its share of flaws too. The outlook ones are just more pronounced because so many people use it. OO.o isn't really close to being a good replacement for MS Office. MS needs to lock their office suite down more than anyone else and take a lead since they're the ones most attacked.
      georgeou
      • Wrong, Open Office is more than good enough.

        Not only is Open Office as good as MS Office, it seems to have no issues loading and fixing corrupt Word and Excel documents that MS Office can't even open!

        I'll take Open Office anyday.
        linux_for_me
      • Replacement?

        I can't remember the last time I used MS Office? I never looked at Open office as a replacement. More like a compatable office. The leaps that Oo.o has made in a short time is amazing!

        MS Office should be free! That might give MS the gold star! easy targets are attacked most. I would venture to guess that Open office is the most used open source application by Linux and Windows users a like. It's free and is killing MS office sales.
        xstep
      • tell it to dixons

        DSG are using OOo so it mustn't be all bad.
        Scott W
  • Microsoft's patch schedule needs to be scrapped.

    By saving all of their fixes for release at a certain date each month, Microsoft continues to put their customers at risk. A schedule of simple maintenance upgrades may be OK, but any patch for any type of security flaw, needs immediate attention.

    Microsoft's work around for this particular flaw, is an IT nightmare, as the average user will not be able to implement this fix on their own. The IT tech teams will have to decide whether to live with the flaw until an update is available, or visit each desktop to make the changes that Microsoft recommends. Those organizations that use a system managment suite may have an easier time, but resources for making a fix and testing it before a roll out will still be needed.

    Come on Microsoft, you need to get off your $&%#'s and fix your software....NOW!
    linux_for_me
    • Layoff of the Patch Schedule

      The Patch Schedule is not a problem, developing a working patch for the exploit is, but if we want to make fun of Microsoft, be sure to turn on Oracle and IBM for they seem to be having trouble getting patches out the door as well. Apple appears to be releasing patches like mad right now, hopefully that will lead to them being the superior OS/Software Solution.
      nucrash
      • Patch schedules are pure idiocy

        Holding patches, especially security ones, until a specified release date, is idiotic. Schedules are OK for non-security maintenance patches, but security patches need to be released as soon as they are available. Otherwise, you end up with a lot more compromized systems to fix.

        I agree that Microsoft needs a lot of improvement in even getting a patch out in the first place. And this complaint is valid for all software companies, not just Microsoft.
        linux_for_me
        • Why hit on Patch Schedules

          Critical Patches are still released out of schedule because of need. Zero Day exploits are also released once need is addressed and development is complete.

          This crap about "Patch Schedules are l4m3" has to go. This mentality is making fun of something that isn't a problem. I do like being able to test a month's mass of patches instead of having to test each individual bit and see which one breaks the box. This does reduce the time of testing. If a series of patches does break a system, then I worry which one does it, not before.
          nucrash
    • You know what's funny...

      "By saving all of their fixes for release at a certain date each month, Microsoft continues to put their customers at risk. A schedule of simple maintenance upgrades may be OK, but any patch for any type of security flaw, needs immediate attention."

      This is a no win situation for Microsoft or any vendor.

      Scheduled updates have pro's and con's.. With scheduled updates you have more testing time, but more vulnerability time.

      For unscheduled updates (like they did prior).. You risk updates that screw things up consistently as they did in the past, but less vulnerability time (or more if you think of how many times they've patched things that unpatched previous fixes).

      Second.. Majority of computer users won't be affected by it, and it ends up being just another thing for anti-microsoft users to whine about.

      And linux users have their own issues to deal with.

      The problem isn't their patching schedule, it's their inability to patch things to begin with.
      ju1ce
      • dunno what you're talking about

        they seem to be able to patch plenty of apps in a very short span of time. also remember that most linux apps are beta (<v1.0) and still beat plenty of commercial apps in stability.
        Scott W
  • The genie is out of the bottle already on security

    Despite Microsoft's recent efforts to get security back under control, it's too little too late at this point. So many 3rd party application vendors have come to rely on the wide open, poorly thought out security configuration that Microsoft used to have in place by default that now it is near impossible for people to lock the OS down and keep their applications running. Try locking down IBM WebSphere on a Windows OS and you'll see what I mean.
    ejhonda
    • Vista appears to fix some of this

      Atleast with their security model, the OS is a little more tightly designed. I especially like the UAC and the Sandboxing of Internet Explorer.

      Complain all you want, but atleast Microsoft appears to be moving in the right direction.
      nucrash
      • Yeah, but it's like turning the battleship around ...

        ... rather than changing direction with a jet ski. Now, I KNOW the wish for addressing patches with the nimbleness of a jet ski is the IDEAL, but, heck, there's gotta be some solution better than the once-a-month battleship model.
        OButterball
        • Yes but,

          How does a Jetski handle a 50 foot Rogue wave, or long distances?

          Granted, I know Windows has become a Tanker like OS when all they need to travel along the coast line of the ocean of information. But Linux hasn't been doing much better lately

          I personally blame people for wanting these enhanced GUIs.

          Hail Green Screen.
          nucrash
          • Do any of these whipper snappers know ...

            ... what those F1 through F12 keys were all about! (Heck, I remember a time when it was F1 through <i>F10</i>! And it seems to me I composed a heck of a lot faster when my hands didn't leave the home position on the keyboard to go groping for the mouse.)

            I'm with you, nucrash.
            OButterball
          • Linux does patching much better than MS

            I would like proof of your statement that linux hasn't been doing much better lately. Linux has ALWAYS done better than Microsoft in patching the OS.

            On the very rare occassion that a security patch is needed, it is made in record time and available almost immediately. No waiting up to a month so the system can be compromised.
            linux_for_me