×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

MS Word Zero-Day Exploit Found

Zonk posted more than 7 years ago | from the don't-do-any-work-today dept.

396

subbers writes "A zero-day flaw in Microsoft Word program is being used in an active exploit by sophisticated hackers in China and Taiwan, according to warnings from anti-virus researchers. The exploit arrives as an ordinary Microsoft Word document attachment to an e-mail and drops a backdoor with rootkit features when the document is opened and the previously unknown vulnerability is triggered. From the article: 'The e-mail was written to look like an internal e-mail, including signature. It was addressed by name to the intended victim and not detected by the anti-virus software.'"

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

396 comments

At least it's not open source (5, Funny)

Anonymous Coward | more than 7 years ago | (#15367606)

You know how unreliable OSS is after all...

Re:At least it's not open source (0)

Anonymous Coward | more than 7 years ago | (#15367773)

Damn. My first thought and you beat me to posting it.

Re:At least it's not open source (0)

moro_666 (414422) | more than 7 years ago | (#15367909)

i can send you a microsoft doc file which describes how minor this flaw is and how bad opensource can be, give me your mail addy

Not overly bad, combined with some others bad. (5, Insightful)

Novanix (656269) | more than 7 years ago | (#15367609)

This type of spam isn't too bad given traditional spam methods, as smarter users won't open attachments from people they don't know. The dumb ones generally dont know a word doc from an EXE so hopefully they are also avoiding most attachments. However there have been a few articles [arstechnica.com] on the future of spam and local data mining. Consider what would happen if the next virus your co-worker got looked through their emails, found the last word document they sent out, and then copied that but embedded this exploit. They might even say, its been revised please have another look. The chances you wouldn't open this are extremely low, and especially when you are opening a normally okay attachment. It is coming from someone you know, from their computer, through their isp, and even is styled the same way as normal. The question is how will we attempt to combat such things? It doesn't just have to do with holes in microsoft office, or any other format too. When local data mining is combined with exploits in any other common formats (give the image exploits of other os's even) you now have a delivery method that can almost promise execution.

Re:Not overly bad, combined with some others bad. (5, Informative)

Jimmy King (828214) | more than 7 years ago | (#15367661)

You haven't done any computer support for non-technical people in a long time, have you? It's only been a couple years since I broke free from the shackles of technical support, so believe me when I say way too many people will open this without thinking twice.

Re:Not overly bad, combined with some others bad. (0, Offtopic)

Politburo (640618) | more than 7 years ago | (#15367677)

The dumb ones generally dont know a word doc from an EXE so hopefully they are also avoiding most attachments.

AAHAHAHAHAHAHAHAHAHAHHAHAHAAHHAHAH

Whew. That was refreshing. Thanks!

Re:Not overly bad, combined with some others bad. (2, Insightful)

955301 (209856) | more than 7 years ago | (#15367679)

Disable attachments. It's was a dumb idea in the first place - it presents opportunities for malicious behavior, harbours company secret dissemination and promotes unnecessary clutter. Refer to a url pointing at a share within the company instead.

All internal corporate attachments should be banned. That's how you deal with it.

Re:Not overly bad, combined with some others bad. (1, Interesting)

955301 (209856) | more than 7 years ago | (#15367707)

Forgot one thing. This is what we need IPv6 for. If everyone in the country had a distinct permanent IP for each machine, they could share their resume or other docs from their own machine, provide permission to a company to access it, then send an email with no attachment, just the url to their share.

Re:Not overly bad, combined with some others bad. (0)

Anonymous Coward | more than 7 years ago | (#15367776)

Exactly.

If it gets worse, providers will probably just step in and quarantine attachments for a few days so as to avoid this zero-day nonsense.

It's not like spam, which is more a question of semantics (no pun) or subjective interpretation. Annoying, yes... but hardly anything else.

People being scared of attachments just don't know what "plaintext" is.

Re:Not overly bad, combined with some others bad. (4, Insightful)

Anonymous Coward | more than 7 years ago | (#15367790)

Are You Serious?!?!

So your saying in the age of the modern broadband; in the age of rich deliverable content; you are saying we should send text only? That's great. It's got nothing to do with fundamental inherent security issues in Microsoft's software made in poor architecture judgements, as well intended as they were.

It's the fault of a fundamental concept in email delivery, which non microsoft users use without fear.

hmmm.... don't think so. not at all.

Re:Not overly bad, combined with some others bad. (1, Insightful)

Anonymous Coward | more than 7 years ago | (#15367906)

are you suggesting that I shouldnt be abe to have hampsterdance.com as my email staionary? rich content is what www is for, email is for communication.

Re:Not overly bad, combined with some others bad. (3, Insightful)

955301 (209856) | more than 7 years ago | (#15367956)

Yes, I am serious.

Your suggestion that an attachment represents "rich deliverable content" is laughable.

Yes, I am saying email should be text only. It is already, whether you acknowledge it or not. You see, your "attachment" was bit shifted into text characters so it could be packaged in an email without getting munged. SMTP was intended for text and truncates bits based on that assumption. It's a bastardized, encoded cyst. A real document has a lifespan, an author, a source, and various other metadata that are not inherent to email. Copy an attachment out and paste into another email - unless the doc embeds the source, it has now been re-sourced forever.

An email should point to the document, at its source, not contain the document. If the end user wants a copy they should make it from the single, established source.

There is no reduction in the richness of the end effect. Single-clicking a link to the document on the source server takes no more time and is no less rich than double-clicking the document object in outlook.

You're trying to suggest that it's a step back. Losing your system to a virus is a step back. Trading an embedded doc for a url to the document is not.

Yes. I think that pretty much exactly... (2, Insightful)

msauve (701917) | more than 7 years ago | (#15367958)

what he's saying. email is a text medium, like it or not.

It a medium of communications, and text is the only content which can be assumed to be usable by any recipient. Sending anything other than plain old text, unless there is prior agreement between both sender and receiver, is a hinderance to communications.

http://www.efn.no/html-bad.html [www.efn.no]

The Slashdot Technology Taliban Rides Again! (-1, Offtopic)

Anonymous Coward | more than 7 years ago | (#15367895)

Turning back the clock to Jan 1 1970! Yeehaw.

Re:Not overly bad, combined with some others bad. (1)

Adriax (746043) | more than 7 years ago | (#15367962)

So then they make one that scans local and mapped drives and infects ALL word documents it finds. Then a single person getting this would very quickly infect the entire company.

So other than inducing more user errors by adding more steps to people's tasks, what has your method accomplished?

When do we see a patch? (3, Insightful)

xot (663131) | more than 7 years ago | (#15367610)

Is there already a race on for releasing a patch? Can the anti virus companies detect it?
I guess it will be a mess if they dont start detecting it soon.Of course MS will be flamed again.

Re:When do we see a patch? (1)

eviloverlordx (99809) | more than 7 years ago | (#15367647)

If you bought a car that had a major flaw in it, wouldn't you complain? Wouldn't people in the know wonder how such a flaw got through their quality process? Why should M$ be treated any differently?

Patch available (3, Funny)

MarkByers (770551) | more than 7 years ago | (#15367674)

Patch available: http://www.openoffice.org/ [openoffice.org]

Re:Patch available (2, Insightful)

dj42 (765300) | more than 7 years ago | (#15367914)

Patch available: http://www.openoffice.org/ [openoffice.org]


Why did that get modded insightful?

If anything, it's barely "informative".

In the corporate world, using Open Office is like driving an electric scooter. Sure, some people think it's cool because it's not a gas-sucking-Hummer, but it's a piece of shit scooter.

Is there perfect compatibility between business users with Word. and OO? Absolutely not. It's totally unacceptable for corporate use with other folks that use MS Word regularly. Same with Excel and the OO varient. Especially if you're dealing with anyone "higher up" or you consult for folks, or you just want to know your files will be opened successfully, without requiring any extra effort from the person you sent it to.

Reccomending OO because MS Word has a critical flaw makes sense for SOME home users, people who don't share files with MS Word users, etc. But for the most part, it's a bad reccomendation unless you're just using OO like a slightly more advanced Notepad. As soon as you tap into truly in depth MS-Word features, compatibility problems arise. In my experience, all open/free/generic word processors are going to have to be used as glorified Notepads if you hope to attain high quality cross-product/platform compability.

Re:When do we see a patch? (1)

teasea (11940) | more than 7 years ago | (#15367782)

They deserve the flames. When MS started linking everthing into the OS, they claimed it was to make things easier and that's what people wanted; they actually were trying to hold dominance over all things PC.

No, I am not the least bit surprised or shocked. Yes, I know how things work.
I won't have pity for MS or anyone else who sees their position as more important than people.

In fact, my pity meter is running on empty.

Re:When do we see a patch? (2, Funny)

sbrown123 (229895) | more than 7 years ago | (#15367783)

Must be another slow news day. I mean, Microsoft exploits are as regular as I am after eating Mexican food.

is Microsoft this fragile? (5, Insightful)

yagu (721525) | more than 7 years ago | (#15367612)

A recent slashdot story asked the question, "Is the internet that fragile?" When I see stories like this, it reminds me and should remind everyone of the other fragile technology(ies), Microsoft and their baggage.

Consider that many on-line applications for jobs require cover letters and resumes as WORD attachments. Now, consider the temporary suggested workaround:

As a temporary mitigation method, Symantec is recommending that Microsoft Word document e-mail attachments be blocked at the network perimeter. "Furthermore, extreme caution should be exercised while processing Microsoft Word attachments received as an unexpected e-mail Attachment," company officials said.

This is disruptive and lose-lose, either organizations heed the advice, and now for as long as it takes to fix Microsoft's problem applicants will have their documents blocked, or some of these hackers profuse their new hack and compromise organization's infrastructure.

Microsoft has made our bed, and now we all must sleep in it (ick). It's unacceptable that such an exploit could so easily take control and wreak damage. Why can a simple e-mail get in and twiddle with what should be administration-priveleged system resources? I know the recommendation is everyone accessing their XP as non-administration users, but how do you enforce that, especially when for so long so many of the out-of-the-box configurations make administration rights the default login?

I must say I admire Microsoft's savvy more each day in their EULA -- crafted to absolve Microsoft of any responsibility for bad things happening to users because of Microsoft's software. It must be reassuring to offer a product and not have to assume responsibility. What a unique privelege

Of course, a good outcome from this would be to reconsider the global transport of exchanging documentation (e.g., resumes and cover letters, etc.) to something a little less Micrsoft, a little more open, and a little less prone to exploits. That can't happen soon enough.

Re:is Microsoft this fragile? (1, Funny)

Anonymous Coward | more than 7 years ago | (#15367681)

A recent slashdot story asked the question, "Is the internet that fragile?" When I see stories like this, it reminds me and should remind everyone of the other fragile technology(ies), Microsoft and their baggage.

If someone figures out how to put a root kit in a (Porn)MPEG file, the internet would be fucking gone!

Re:is Microsoft this fragile? (3, Insightful)

Politburo (640618) | more than 7 years ago | (#15367692)

I must say I admire Microsoft's savvy more each day in their EULA -- crafted to absolve Microsoft of any responsibility for bad things happening to users because of Microsoft's software. It must be reassuring to offer a product and not have to assume responsibility. What a unique privelege

You act like MS is the only company that does this. Nothing could be further from the truth.

a better workaround (3, Insightful)

frankie (91710) | more than 7 years ago | (#15367700)

The exploit only works properly in Office 2003 (and crashes Office 2000). Given that emailed DOC files are pretty much required for millions of people to do their jobs, the most effective short-term workaround is use something else to read DOC files [openoffice.org] .

Re:is Microsoft this fragile? (1)

LoonyMike (917095) | more than 7 years ago | (#15367823)

It must be reassuring to offer a product and not have to assume responsibility. What a unique privelege

Can you name any wide-usage software where the supplier assumes the responsability?

Re:is Microsoft this fragile? (1)

neural cooker (720830) | more than 7 years ago | (#15367857)

> I must say I admire Microsoft's savvy more each day in their EULA -- crafted > to absolve Microsoft of any responsibility for bad things happening to users > because of Microsoft's software. It must be reassuring to offer a product and > not have to assume responsibility. What a unique privelege This is not specific to MS. Most EULA's, even OSS licences have this type of clause.

Re:is Microsoft this fragile? (3, Insightful)

d_jedi (773213) | more than 7 years ago | (#15367870)

I must say I admire Microsoft's savvy more each day in their EULA -- crafted to absolve Microsoft of any responsibility for bad things happening to users because of Microsoft's software. It must be reassuring to offer a product and not have to assume responsibility. What a unique privelege
"Unique privelege (sic)"? Not quite.. just about every software company absolves itself of legal responsibility in this way.. why, even the GPL does it.

Re:is Microsoft this fragile? (1)

99BottlesOfBeerInMyF (813746) | more than 7 years ago | (#15367875)

This is disruptive and lose-lose, either organizations heed the advice, and now for as long as it takes to fix Microsoft's problem applicants will have their documents blocked, or some of these hackers profuse their new hack and compromise organization's infrastructure.

The open source and closed source communities have already provided me with a better work-around for this attack vector, one which Microsoft motivated me to start employing long ago. MS Word costs money. MS Word is rather slow to open and sometimes leaks memory. MS Word crashes, corrupting the open file when working on long documents. As a result, I avoid MS Word.

On my Windows and Linux systems I open .doc files in OpenOffice by default. This means if I'm opening an attachment I don't have to open a separate program from the one I already have open (OpenOffice). When I'm on my mac, I usually open them in Pages.app (which I often have open for other, minor editing tasks. Either way, I'm unlikely to use MS Word and thus I won't be vulnerable to this attack.

My response is, time to mandate OpenOffice in your workplace and defang this particular threat while saving a bundle of cash at the same time.

Re:is Microsoft this fragile? (0)

Anonymous Coward | more than 7 years ago | (#15367897)

disruptive and lose-lose

has made our bed, and now we all must sleep in it (ick).

unacceptable that such an exploit could so easily take control and wreak damage

language crafted to absolve of any responsibility for bad things happening because of them

must be reassuring not have to assume responsibility

a good outcome from this would be something more open, and a less prone to exploits. That can't happen soon enough.


Gee, you make them sound like the Bush administration of the software world.

Re:is Microsoft this fragile? (3, Insightful)

gmiley (975720) | more than 7 years ago | (#15367918)

Consider that many on-line applications for jobs require cover letters and resumes as WORD attachments. Now, consider the temporary suggested workaround:
As a temporary mitigation method, Symantec is recommending that Microsoft Word document e-mail attachments be blocked at the network perimeter. "Furthermore, extreme caution should be exercised while processing Microsoft Word attachments received as an unexpected e-mail Attachment," company officials said.
This is disruptive and lose-lose, either organizations heed the advice, and now for as long as it takes to fix Microsoft's problem applicants will have their documents blocked, or some of these hackers profuse their new hack and compromise organization's infrastructure.

This suggested work-around should never have been... well, suggested. Unfortunately, until this has been fixed it leaves a network wide open to potential problems. One must weigh the losses and choose the lesser. Infected network potental compromise/loss of data/work/money, or block files for the time being, perhaps quarantine them until proper detection methods are ready and possible loss of a few hours for a few people.

That all depends on the organization as to what would be more acceptable.

Continuing on, I see this all the time, people immediately bash MS. Granted, it is their software, however, it could be (and occasionally is) software created by other companies. It just so happens that MS is a popular choice for the majority of the world.
I know the recommendation is everyone accessing their XP as non-administration users, but how do you enforce that

Any properly admin'ed network can easily do this. At home is a different story, but those that refuse to work with only the minimum required permissions take the risk of exposing themselves to a larger selection of potentially harmfull attacks.
I must say I admire Microsoft's savvy more each day in their EULA -- crafted to absolve Microsoft of any responsibility for bad things happening to users because of Microsoft's software. It must be reassuring to offer a product and not have to assume responsibility. What a unique privelege

I doubt you would happily take responsability if you let your neighbor borrow your lawnmower who then promptly used it to run over his own dog...

Re:is Microsoft this fragile? (1)

jagspecx (974505) | more than 7 years ago | (#15367980)

When I see stories like this, it reminds me and should remind everyone of the other fragile technology(ies),

Users and "[Insert Topic] for Dummies" books?

Not funny (2, Insightful)

Beuno (740018) | more than 7 years ago | (#15367618)

How many EXTREMLY critical flaws is it already Word documents have?
How is it possible these things still keep coming up.
It's not even funny anymore...

Re:Not funny (3, Insightful)

BFaucet (635036) | more than 7 years ago | (#15367900)

What really gets me is how rarely the methods these vulnerabilities use are used for useful purposes.

In most cases rich text or even plain text documents are more than adequate. Do memos and resumes really need to have executing code in them?

In related news (5, Funny)

Siberwulf (921893) | more than 7 years ago | (#15367636)

Sony announces it will be sending an apology note to users who were infected by their rootkit DRM. The apology will be in .doc format.

In other news... (3, Informative)

KrackHouse (628313) | more than 7 years ago | (#15367637)

Re:In other news... (1)

tomstdenis (446163) | more than 7 years ago | (#15367668)

Holy bad timing batman...

Well the virus was probably written by a team of non-commercial developers. So MSFT is right. Only dangerous things come from those non-money grubbing hippies.

Tom

Re:In other news... (1)

OctoberSky (888619) | more than 7 years ago | (#15367772)

Well the virus was probably written by a team of non-commercial developers. So MSFT is right. Only dangerous things come from those non-money grubbing hippies.

Thats a funny statement until you see.... From the article: The e-mail was written to look like an internal e-mail, including signature.

Each email is signed: Sincerly, Steve Jobs

real damage? (5, Funny)

gEvil (beta) (945888) | more than 7 years ago | (#15367644)

Finnish anti-virus vendor F-Secure said a successful exploit allows the attacker to create, read, write, delete and search for files and directories; access and modify the Registry; manipulate services; start and kill processes; take screenshots; enumerate open windows; create its own application window; and lock, restart or shut down Windows.

Yeah, but can they do any real damage? : p

Re:real damage? (1)

rodgster (671476) | more than 7 years ago | (#15367742)

This is one of the reasons I preach minimum privilege needed to get the job done. While it is cumbersome to live up to this under windows, in a corporate network is MUST be done.

I only allow local admin with a demonstrated NEED.

Yet I shake my head in amazement when wanna be admin lamerz perform their normal daily tasks (like read their email) logged in as a domain admin.

Question (2, Interesting)

benjjj (949782) | more than 7 years ago | (#15367663)

Would someone with more knowledge than me explain the term "zero day"?

Re:Question (5, Informative)

Fat Idiot (923144) | more than 7 years ago | (#15367711)

Zero Day means that the vulnerability was previously unknown. Hence there are no days between dicovery of the vuln and dicovery of the exploit in the wild.

Re:Question (2, Informative)

Politburo (640618) | more than 7 years ago | (#15367719)

To me, in this context, zero-day has no meaning. It's used in the warez community to reference a download that is available the day the software is released (i.e., zero days after the release). You would also have 1-day, (n)-day, and in rare cases (negative)-day warez.

I can only guess that it means the worm uses a heretofore unknown exploit. Thus, this exploit is 'zero days' old.

Re:Question (1)

Churla (936633) | more than 7 years ago | (#15367738)

Usually "Zero Day" means something that was available when the product was released now.

"Zero day" warez means a warez copy is available the day the product releases (sometimes before).

"Zero Day" venerabilities are usually ones which are detected before a virus is in the wild for them. (i.e. problem found before an exploit is available)

In general it usually just means "Really new!"
 

Re:Question (5, Informative)

MarkByers (770551) | more than 7 years ago | (#15367739)

Hmm the Wikipedia page doesn't really explain it very well: http://en.wikipedia.org/wiki/Zero_day [wikipedia.org] so let me try.

It means that the exploit was discovered by crackers before any patch has been made available to the public. In other words there is nothing you can do except not open any .doc files unless you want to run the risk of being cracked.

But of course, everyone knows that Word is full of holes because no-one has really attempted to use it as an attack vector yet since there are many easier ways [microsoft.com] .

Re:Question (1)

icepick72 (834363) | more than 7 years ago | (#15367952)

Hmm the Wikipedia page doesn't really explain it very well

Just modify the Wiki page. Share the better explanation with the world instead of leaving it here.

Re:Question (1)

gmiley (975720) | more than 7 years ago | (#15367975)

That is correct. Usually Zero-Day's are released by the person who found the hole/bug/exploitable code. At times this due to someone who actually has a hand in the code and knows these weak points lets it slip or designs it him/herself, but that is not a requirement. Here is an article you can check out: zero-day [techtarget.com]

Re:Question (1)

955301 (209856) | more than 7 years ago | (#15367740)

Among other things, vulnerabilities are guaged by the number of days they have been out. 8-day, 7-day, etc. If an exploit ('sploit) has not been know before being used in the wild, it's referred to as a 0-day. That's Zero day, or "oh-day".

http://en.wikipedia.org/wiki/Zero_day [wikipedia.org]

Re:Question (-1)

Anonymous Coward | more than 7 years ago | (#15367744)

Wikipedia is your friend. See this entry [wikipedia.org] .

Re:Question (1)

magicjava (952331) | more than 7 years ago | (#15367752)

It means the method used to carry out this attack is not known by the public in general.

Zero-day flaws are usually considered hard to manage because no one knows anything about them.

In English, it means "a very bad thing".

Re:Question (0)

Anonymous Coward | more than 7 years ago | (#15367788)

It's by far the most common for exploits come out after the vulnerability has been patched. Typically:

1 a researcher discovers a flaw and reports it to the vendor
2 the vendor issues a patch
3 (a) the researcher waits a decent length of time, then releases the proof-of-concept exploit which they originally provided to the vendor, or
3 (b) other researchers reverse-engineer the patch (if it's a closed-source app), or just examine the cvs history (if it's open-source), and produce their own proof-of-concept exploit
4 less technically skilled, but more malicious, types build a real attack tool based on the proof-of-concept exploit.

The time from 2 to 4 corresponds to system admins' window of safety to get the patch deployed to all their systems.

A zero-day exploit is one where the attack is discovered in the wild before the vendor knew about the vulnerability (or at least admitted to knowing about it). The attack has to be reverse-engineered, the vulnerability re-discovered from that work, and a patch developed and released, all while the exploit is being actively used.

Sysadmins therefore have a zero-day window of safety - they have to scramble to find a workaround for now, and hope the patch comes out fast, and works when it arrives.

Re:Question (1)

00RUSS (549125) | more than 7 years ago | (#15367805)

Zero day means that you learn of the vulnerability through the virus. It hits without any warning.

Re:Question (1)

brickballs (839527) | more than 7 years ago | (#15367812)

Would someone with more knowledge than me explain the term "zero day"?
Zero day basicaly means that nobody even knew the vulnerability existed before it turned up and started causing trouble.

In contrast, sometimes a "proof of concept" exploit is first released that does no damage and instead gives the vendor a chance to fix the vulnerability.

http://en.wikipedia.org/wiki/Zero_day [wikipedia.org]

Re:Question (1)

Maniacal Laughter (974626) | more than 7 years ago | (#15367830)

According to Wikipedia [wikipedia.org] , a zero-day flaw is one that is announced to the public before a patch is available for it.

This means that until MS releases a patch for Word, people will remain vulnerable. Furthermore, increasing number of people are vulnerable to it now that the news is out, and others can exploit the vulnerability too, before the patch is out.

Re:Question (4, Informative)

jschottm (317343) | more than 7 years ago | (#15367845)

Would someone with more knowledge than me explain the term "zero day"?

N (where N >=1) day exploits refer to the number of days after a vulnerability and/or patch is made available that it takes for exploits to occur. If Microsoft releases a patch on the 12th and an exploit is written on the 15th, that would be 4 day exploit. Some people would consider it to be a 3 day exploit, not counting the day of the announcement.

Zero day refers to an exploit that uses a previously unknown vulnerability in software, or in some special cases, finds a way to turn a previously known flaw from something that wasn't considered bad enough to patch to a dangerous situation. Zero day exploits are dangerous in that there are no patches for them, although in some cases it can be prevented/mitigated by firewalls or Intrusion Prevention Systems. On the other hand, zero day exploits are often held closely by the people who discover them in order to gain the maximum advantage from it. For example, the exploit used on debian.org a few years ago was not disclosed in order to use it to penetrate several huge names in the open source community. Once a zero day exploit is made public knowledge, it will be focused on and patched.

There is also an archaic use of the term from the old days of pirate BBSes - back when delivery of cracked software was slow, difference BBSes would have better priority on getting delivery of that software. The most important ones would get the software the day it was released by the cracking group and would be described as having 0 day warez. Broadband/P2P/etc. has made the use of this term out of date, although it's entirely possible that some people still use it in this context.

Re:Question (0)

Anonymous Coward | more than 7 years ago | (#15367924)

zero-day usually refers to something being current/new with no patch, workaround, or previous warning.

Just how much is 'exploited'? (2, Insightful)

Dimensio (311070) | more than 7 years ago | (#15367666)

Is this an exploit that somehow grants malicious code access privledges even beyond the user's access level, or does this simply allow execution of arbitrary code at the access level of the user who is running Word?

If it is the former, then it's a very serious flaw. If it's the latter, then it's a serious flaw, but one that will only really adversely affect people stupid enough to run as Administrator all the time, despite Microsoft's own warning against such idiotic practices [microsoft.com] .

If it is the latter, then I have further justification to use against the users who have complained about using their Administrator privledges.

Re:Just how much is 'exploited'? (1)

Jimmy King (828214) | more than 7 years ago | (#15367721)

If it's the latter, then it's a serious flaw, but one that will only really adversely affect people stupid enough to run as Administrator all the time, despite Microsoft's own warning against such idiotic practices
You mean how pretty much every pc I've seen that comes with windows on it is by default and how XP home installs and sets up the first (and usually only) user by default, meaning that pretty much every windows user with no technical knowledge or concern will be really adversely affected?

Re:Just how much is 'exploited'? (1)

Dimensio (311070) | more than 7 years ago | (#15367838)

You mean how pretty much every pc I've seen that comes with windows on it is by default and how XP home installs and sets up the first (and usually only) user by default, meaning that pretty much every windows user with no technical knowledge or concern will be really adversely affected?

I never claimed that Microsoft's default setup options were intelligent or consistent with their security model.

Re:Just how much is 'exploited'? (1)

d_jedi (773213) | more than 7 years ago | (#15367892)

You can just as easily always run as root under Linux (etc.) as well..

Re:Just how much is 'exploited'? (1)

WhiteWolf666 (145211) | more than 7 years ago | (#15367728)

Former. Installs a rootkit; at least thats what the article says. The ISC summary indicates it drops some kind of bot on your system, which probably takes advantage of some local privlidge escalation.

Re:Just how much is 'exploited'? (1)

spun (1352) | more than 7 years ago | (#15367919)

A rootkit merely conceals activity on a system where a root compromise has already taken place. There is no mention of privilege escalation.

Re:Just how much is 'exploited'? (0)

Anonymous Coward | more than 7 years ago | (#15367770)

The latter,

It is not different that any MS file which let syou embedd vb script into the file, word, excel, Powerpoint, ANYTHING.

This whoel fuckign article is much ado abotu nothing, the moral of the story, don't open random shit from strangers

Idiotic practice (2, Interesting)

Anne Thwacks (531696) | more than 7 years ago | (#15367789)

I wish to own up as having performed idiotic practices (With and without the help of Windows).

I have a PDA running WinCE, and I can only sync it with MS Active Sync if I am logged on as administrator. I really detest this. It would be so much better if each member of the family could sync their own PDA when logged in as themselves. However, Active Sync does not appear to support this. This machine has to be connected to the internet to update my WinCE apps. I suspect this makes Active Sync "goods not of merchandisable quality" in the terms of the UK "sale of Goods Act", and I am willing to participate in a class action against MS.

I only use the Windows computer for syncing my PDA. For everything else, I use FreeBSD.

Re:Idiotic practice (1)

WhiteWolf666 (145211) | more than 7 years ago | (#15367972)

Not sure about this, but why not explore SynCE and Kitchensync for your PDA? I suspect you can get those for FreeBSD.

Re:Just how much is 'exploited'? (1)

cyber-vandal (148830) | more than 7 years ago | (#15367855)

I run mainly as LUA on my XP Home machine and at first it was a total PITA with way too many apps needing admin access to do anything. For those there were two options: run as admin (no way) or use CACLS to grant the LUA access to certain directories in Program Files and a program to allow those that demand admin to run no matter what directory access you grant them.
Now I know this is the fault of the app designers but it's pointless to blame the users for not wanting to put up with the tedious aggro of trying to run as LUA (even if they could understand the rather crappy CACLS tool) when everything works on an admin account.
However since the expectation of admin access comes from the Win9x days and the fact that WinXP Home has admin rights by default Microsoft can't really avoid the blame on this one.

Most of us shouldn't have to worry... (2, Interesting)

pla (258480) | more than 7 years ago | (#15367671)

FTA: Symantec's DeepSight team said the exploit successfully executes shellcode when it is processed by Microsoft Word 2003. The malicious file caused Microsoft Word 2000 to crash, but shellcode execution did not occur.

Wonderful! So it only affects the latest-and-greatest versions of Office. Considering that MS hasn't added anything since Office 95 (I still run '97, myself), I expect only business users on SA should ever get hit by this exploit.


Then again, I suppose this means that Microsoft has added something, at least since Office 2000... Namely, more security flaws. Woot! Way to go Billy G! "Focus more on security" indeed.

Good thing... (2, Interesting)

DnemoniX (31461) | more than 7 years ago | (#15367676)

Guess it is a good thing that I haven't seen enough added value to justify a move from Word 2000 to 2003 in our organization.

DEP? (4, Interesting)

urikkiru (801560) | more than 7 years ago | (#15367678)

Does this still work with hardware supported Data Execution Protection enabled I wonder? Just curious. Seems like the kind of thing it's supposed to trigger against. I know that with it enabled, I can't profile a visual studio project I'm working on, as the profiling app hooks into the memory of the app I'm working on. Not sure if this is a similar thing though. But still, seems like something that should be a clear separation between executable and data segments of memory.

All your DOCs are belong to us! (0)

Anonymous Coward | more than 7 years ago | (#15367690)



All your DOCs are belong to us!

Oops.. (1, Redundant)

Akoma The Immortal (36474) | more than 7 years ago | (#15367693)

Like this guy [slashdot.org] has been saying all along, commercial sofware are more dependable, reliable....


For Hackers..

Queen: *dong* *dong* *dong* another one bites the dust!.


Re:Oops.. (1)

WhiteWolf666 (145211) | more than 7 years ago | (#15367765)

Why is this modded troll? Because it's anti-MS?

Is it anymore trollish that the article he is referencing?

Re:Oops.. (0)

Anonymous Coward | more than 7 years ago | (#15367898)

Really... Why is it a troll?

This is nonsense! (1, Interesting)

WhiteWolf666 (145211) | more than 7 years ago | (#15367697)

I've read comments from Microsoft trolls on at least 2 other articles saying that if I have up to date virus definitions and a working firewall I'll never experience any infection from anything like this.

Over, and over, and over, and over, and over, and over, and over, and over, and over, and over, and over, and over, and over, and over, and over, and over, and over, and over, and over, and over, and over, and over, and over, and over, and over, and over, and over, and over, and over, and over, and over, and over, and over, and over, and over, and over, and over, and over again.

How many years have y'all been virus free, boys? 5? 50? 500? Because, after all, people never get viruses when they have all the avaliable OS updates, all the AV definitions up to date, and a working firewall. Right? /flameretardant materials on. I expect the MS fanbois to be storming this article in a matter of minutes.

Re:This is nonsense! (1)

cnettel (836611) | more than 7 years ago | (#15367745)

It still requires manual intervention. What I'm wondering right now if whether this could be turned into a "preview-only exploit" if Outlook (not Outlook Express) is configured to use the Word engine as an email editor.

Re:This is nonsense! (1)

WhiteWolf666 (145211) | more than 7 years ago | (#15367832)

It wouldn't surprise me if it worked like that.

Also, it wouldn't surprise me if it started re-emailing itself to everyone in your outlook address book. I believe one can send e-mails from

Re:This is nonsense! (2, Funny)

PFI_Optix (936301) | more than 7 years ago | (#15367767)

It helps not to open infected files :)

When some other OS with some other standard office suite becomes the de facto standard for business AND for home users, we'll see the same sort of security breaches for that particular combination or software. It hasn't been done yet on because there are twenty (or more) times as many Windows machines, and Windows has a larger percentage of careless users.

When Joe Six Pack switches to Linux/Unix/Mac/whatever and MS is the underdog, suddenly they'll be the secure ones.

Incidentally, it's not trolling to point out that I haven't seen a virus since early 2000, and that was because I hated updating W2K on dialup and put it off.

Re:This is nonsense! (1)

WhiteWolf666 (145211) | more than 7 years ago | (#15367946)

So lemme guess, you aren't opening word files, even from your clients or coworkers, until this is patched. Right?

Quote from article:
The e-mail was written to look like an internal e-mail, including signature.

Either that, or you don't use your computer for business, at least nothing involving Office Documents.

... after all people never get viruses ... (1)

Tim Ward (514198) | more than 7 years ago | (#15367798)

... if they chose not to download and install and run them.

Works for me.

That way I also don't have to spend extra money on extra hardware to support buggy bloatware virus checkers. How many times have you seen complaints about systems broken by anti-virus software? More often then never? Riiight ... good enough for me.

Re:... after all people never get viruses ... (1)

WhiteWolf666 (145211) | more than 7 years ago | (#15367921)

Lets say one of your clients system's are infected with this 0-day exploit. No virus definitions yet. What do you do?

Do you just refuse to open MS Word Documents until you get new definitions? How the _hell_ do you know when you are protected?

Geez. (1)

bluemeep (669505) | more than 7 years ago | (#15367698)

And this just brings us right back to the oldest antivirus solution in the book: if you don't know the sender, DON'T OPEN THE FILE. You'd think people would catch on by now...

Re:Geez. (1)

rvw14 (733613) | more than 7 years ago | (#15367835)

From the article: 'The e-mail was written to look like an internal e-mail, including signature. It was addressed by name to the intended victim and not detected by the anti-virus software.'"

In reading the summery it appears that the e-mail comes from someone in the corporate network. If I received an e-mail that looked like it came from my boss, with an attachment I most likely would open it with no thought that it wasn't from her.

Re:Geez. (5, Insightful)

LurkerXXX (667952) | more than 7 years ago | (#15367912)

if you don't know the sender, DON'T OPEN THE FILE

WRONG! Modern viruses, for YEARS now, have set their 'sent from' address as a random address they found in either the internet cache, or ADDRESS BOOK of the infected machine. Often many people in a random address book already know each other. That means the virus has a very good chance to be sent 'from' someone you know (in the address line), although that person didn't send it.

Don't trust an attachment just because it appears to come from someone you trust. If you aren't expecting that exact attachment, or there isn't very very clear working in the email that would make it relevant to something you know about rather than some generic topic, don't open it. Take two seconds and email the person back and ask what it is.

Trusting an attachment just because it appears to come from someone you know is STUPID.

Re:Geez. (1)

wannabgeek (323414) | more than 7 years ago | (#15367974)

Reminds me of a Dilbert carton, where the manager sends Dilbert an email to check out a fax that he sent and finally comes over and tells him the message anyway. So I guess that is what we should all do!

doesn't affect me (1)

dioscaido (541037) | more than 7 years ago | (#15367702)

Seeing as I don't run as an Administrator on my box when I'm not administering, the exploit is neutralized by simple lack of privielges. Still sounds nasty nonetheless.

Clarification: Attack is from China, not of China (5, Insightful)

WillAffleckUW (858324) | more than 7 years ago | (#15367708)

For all we know, the Zombie Overlords live in Scranton, NJ or Brazil.

They're just using the incredibly insecure servers one can find in China and nearby countries to base the attacks from.

Now, that doesn't mean they aren't Chinese - in fact, that's quite possible - just that where an attack comes from is frequently not where the people who set it off are based in.

security? (4, Informative)

pe1chl (90186) | more than 7 years ago | (#15367750)

As a temporary mitigation method, Symantec is recommending that Microsoft Word document e-mail attachments be blocked at the network perimeter.

How about:
- make sure your users don't work as administrator but under an unprivileged user account
- setup the system so that this unprivileged user account cannot write in %windir% and %ProgramFiles%
- build the network in such a way that programs cannot directly "connect home" but can connect to the Internet only via well-defined proxy servers
- setup mail so that incoming office documents opened from mail do not open in Office but in the free Office viewers instead

Re:security? (1)

Churla (936633) | more than 7 years ago | (#15367880)

Now now now..

You're getting all fancy schmancy. Besides, how would that help Symantec annoy MS? We have to keep our head and priorities about us in these hectic times and stay focused on the goal.

Switch to ODT (1)

phy_si_kal (729421) | more than 7 years ago | (#15367824)

Now is the time to tell your contacts to use an open document, which IS a standard for both ISO and OASIS (ISO/IEC 26300), and is not sensible to the threats of Microsoft Word document.
Maybe something like for the people who keep sending Word files:
"Please use OpenDocument for your document exchange, because it's
- open,
- a standard (ISO/IEC 26300)
- it protects you and me from security threats.
Please look for details at http://en.wikipedia.org/wiki/OpenDocument [wikipedia.org] "
At the end, it may work.

The irony! (0)

Anonymous Coward | more than 7 years ago | (#15367981)

A couple of days ago a helpful Automatic Update invalidated my Microsoft Office products (something about a license) and for today (and today only?) protected me from their own incompetence.
In other news typing a page of text can also be done in Open Office.
Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...