Don't Open That Doc!

[Dubh Aingeal]

Eweek.com is reporting a new Microsoft Word zero-day attack underway. Microsoft issued a security advisory to acknowledge the unpatched flaw, which affects Microsoft Word 2000, Microsoft Word 2002, Microsoft Office Word 2003, Microsoft Word Viewer 2003, Microsoft Word 2004 for Mac and Microsoft Word 2004 v. X for Mac. The Microsoft Works 2004, 2005 and 2006 suites are also affected because they include Microsoft Word. Simply opening a word document will launch the exploit. There are no pre-patch workarounds or anti-virus signatures available. Microsoft suggests that users 'not open or save Word files,' even from trusted sources.

[Head Wreck]

erm...

theres holes in word 97 that are continued into the latest version of word that were never patched

BAD AND VERY BAD "SPY" NEWS

The "Document Collaboration Spyware" exploit Alex Gantman

posted on Bugtraq on August 26 has hit almost every major

news outlet in the world. Much has happened since the flag

went up. To summarize: I've got some bad news. And I've got

some very bad news.

The bad news: Microsoft hasn't done squat for its

customers. There's a press release that MS posted in

response to Ian Hopper's story for the Associated Press

(good story, by the way). You can see MS's Party Line at

http://www.microsoft.com/technet/security/topics/secword.asp

. But as far as I know, that's the extent of Microsoft's

missives to its customers. Three and a half weeks later,

and there's no security bulletin, no official warning, no

nothing. The only suggestion Microsoft has come up with -

examine field codes in your document manually - is so lame

I don't know if I should laugh or cry... or scream. Can

*you* look at a field code and know if it will

automatically suck in a sensitive file? How can hundreds of

millions of Office users be expected to tell the difference

between a safe field code and a spy?

We now have a tool to help you identify suspect documents -

you can see below for details but I know you're impatient

so look at http://www.woodyswatch.com/util/sniff

More bad news: in the past couple of days I've cobbled

together a "spy" document that automatically retrieves the

full file names of all documents which are already open

when the "spy" document gets opened. (You'll recall that

Alex's exploit requires the attacker to know the precise

name and location of the file that's being spied upon.)

The very bad news: that new file name retrieval "spy"

technique works automatically and silently in all versions

of Word - 97, 2000, or 2002 (the version in Office XP).

Microsoft says "For best security, we recommend that

customers use Word 2002." I don't buy it. Microsoft got

lucky when it changed the way certain fields were updated

in Word 2002 - Alex's original exploit doesn't work

automatically in Word 2002. But they weren't looking at

Word fields from a security point of view when they sent

Office XP out the door, and they missed at least one gaping

hole.

I've sent seven exploits to Microsoft in the past two

weeks. A couple of them are no more than parlor tricks - so

far - but most of them look ominous. Several of them work

automatically in all versions of Word: Word 97 ain't the

only version with its tail hanging out. Microsoft assures

me that they're on top of all of the problems I've sent so

far. I sure hope so.

We here at WOW Central have a tool that will help you

identify "bad" fields in Word documents. Keep reading.

[Dubh Aingeal]

Oh I know that. Its just not only is this the lastest hole to be found in their crappy dominating software, but they are telling people to not use it to open the doc's.

[Dubh Aingeal]

A spokesman for Microsoft has said that they will issue no patches on the next 'Patch Tuesday' for versions of Word vulnerable to the recent zero-day threat. There is no mention whatsoever of the omission in the latest advance notification at the company's security site.

From the article:

The software maker is working on a security update, but apparently needs more time. The company did not specify how many flaws Tuesday's updates will address or in which components of Windows the holes lie. The Visual Studio update could offer a patch for a zero-day vulnerability in the developer tools that was made public last month.