Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Word Vulnerability Compromised US State Dept.

samzenpus posted more than 7 years ago | from the you've-got-a-virus dept.

Security 207

hf256 writes "Apparently hackers using an undisclosed (at the time) vulnerability compromised the State Departments network using a Word document sent as an email attachment. Investigators found multiple instances of infection, informed Microsoft, then had to sever internet connectivity to avoid leaking too much data!"

Sorry! There are no comments related to the filter you selected.

Great news for open formats (4, Insightful)

Beuno (740018) | more than 7 years ago | (#18793187)

Well this should push everything towards open document formats a bit more, so it might just be a good thing...

Re:Great news for open formats (2, Funny)

aputerguy (692233) | more than 7 years ago | (#18793375)

Friends don't let Friends use Micro$oft...

Re:Great news for open formats (5, Interesting)

drago177 (150148) | more than 7 years ago | (#18793411)

It would be so easy to just install StarOffice on each computer (keep Word), and ask the more technical departments to start using it, if only to save docs in Word format at first. I did this with the last company I worked at, nobody ever even complained. The cost was very minimal, and it actually saved a lot of money and time when an excel file corrupted itself. MS could not open it, but SO opened then re-saved it in MS format, then it worked fine.

Re:Great news for open formats (0, Offtopic)

aichpvee (631243) | more than 7 years ago | (#18793843)

How come you recommend StarOffice over OpenOffice.org? On the Sun payroll or is there something you actual like better about it, other than the support which you don't seem to have much use for from your post?

Re:Great news for open formats (2, Insightful)

berzerke (319205) | more than 7 years ago | (#18794085)

How come you recommend StarOffice over OpenOffice.org?...

Well, perhaps some policy forbids installing free (as in no invoice) software, or the policy requires a support contract.

Re:Great news for open formats (5, Interesting)

drago177 (150148) | more than 7 years ago | (#18794111)

I heard the install was faster/easier, and it was. You're right about the support - never tried it, but I did want to contribute to the open source concept, and $ rules the world. I knew those above me wouldn't notice an extra $20 on each pc, but they were scared of 'non-professional software', so to be able to tell them there was support was a necessary safeguard.

Oh, btw, they were using that excel sheet to keep track of a fleet of buses (this co was archaic in their IT dept when I got there). A radio dispatcher was frantically telling the bus drivers there was a computer problem and to 'hold tight' for 15 minutes till I got there, then 5-10 more minutes to figure out MS file recovery wouldnt cut it, and 5 to install SO from network and fix the prob. The only serious occasion that pitted MS vs SO and the results were stark. So no Im not on Sun's payroll, but the story ought to be a commercial, and I walked out like a hero so I'm happy to tell it.

Re:Great news for open formats (0)

ArsenneLupin (766289) | more than 7 years ago | (#18794331)

War daat déi éiren déi Saach beim T.I.C.E. [www.tice.lu] ?

Re:Great news for open formats (3, Insightful)

Gerzel (240421) | more than 7 years ago | (#18793937)

I think one problem is that we are making document formats that are far more than just what they are ostensibly used for. Word processing documents are generally meant to hold blocks of text, some pictures and charts, and some internal pointers. Does a word processing format really need java script, and support for every feature under the sun?

However a new format for every feature doesn't work too well either. Perhaps an extendable document format that plainly details what features are used in the document, so you can tell if that Word doc in your email has more than just the text of that newly leaked Harry Potter novel.

Re:Great news for open formats (2, Interesting)

Anonymous McCartneyf (1037584) | more than 7 years ago | (#18793955)

But if Open Document Text does almost everything .doc files do, how can we be sure it doesn't have similar back doors?

Re:Great news for open formats (3, Insightful)

Eggplant62 (120514) | more than 7 years ago | (#18794299)

Use the SOURCE, Luke.

With open software, you can look at the source code and see exactly what it does and test it for all the vulnerabilities you want and get them removed, by yourself if you find yourself so talented. Only the monkeys in Redmond know what is really going on in Windows, and anyone using their products is dependent upon MS and MS only for a solution. That may come in days, weeks, but most likely months after a vulnerability is found. Meanwhile, someone ends up releasing details of the vulnerability, then codes up a nasty bug to take adavantage. The fact that MS software is so full of holes and has no real peer-review process among the general population of all possible coders interested in fixing bugs is its weakness in comparison.

Re:Great news for open formats (5, Insightful)

boer (653809) | more than 7 years ago | (#18794803)

> With open software, you can look at the source code and see exactly what it does

I though even the OS community had realised by now how ridiculous this argument is. World economy would in effect come to a halt if every company and public office started to scan source codes for potential vulnerabilities. This is hardly a selling argument and being a wise-ass about it has never helped the OS movement.

Having a goal of zero vulnerabilities is such complex software as an office suite is strikes as feasible only to an ideologist nerd. In practise there will always be vulnerabilities as long as human beings will be responsible for the design and programming. And having gazillions of eyes searching through the source code presumably on the company dollar is not effective way to remove those faults.

Hmmm...hackers (5, Funny)

Spookticus (985296) | more than 7 years ago | (#18793197)

It seems those hackers missed the Philippines and accidentally hit the state department instead

Re:Hmmm...hackers (2, Funny)

dclozier (1002772) | more than 7 years ago | (#18793323)

and bush won again. just who are these hackers? :D

Re:Hmmm...hackers (1)

alexjohnc3 (915701) | more than 7 years ago | (#18793327)

No, I'm pretty sure they were aiming for the US. We're pretty much the only ones who will fall for an infected Microsoft Word document.

Re:Hmmm...hackers (1)

sumdumass (711423) | more than 7 years ago | (#18794083)

Heh. I wonder if this is the same story or a continuation from the story about the D.O.D. computers getting hacked or attempted hacks.? [slashdot.org]

Re:Hmmm...hackers (0)

Anonymous Coward | more than 7 years ago | (#18794801)

Meanwhile Hackers have posted the data gleamed out from DOD...

"... P = NP .. proved 1989 .."

"... let's hold the results.."

"... let those damn scientists break their heads..."

Re:Hmmm...hackers (1)

MrNormS (1002849) | more than 7 years ago | (#18794451)

"A love letter from [insert famous actress/model] with an attached word document! That's obviously for me and not suspicious at all... I better open it!"

Quick (3, Funny)

WED Fan (911325) | more than 7 years ago | (#18793201)

Quick everyone, the bandwagon is getting ready to leave. Jump on.

Re:Quick (4, Insightful)

Sancho (17056) | more than 7 years ago | (#18793451)

What magical office software do you use that is apparently 100% bug free?

Re:Quick (5, Funny)

grcumb (781340) | more than 7 years ago | (#18793527)

What magical office software do you use that is apparently 100% bug free?

Emacs

*ducks and runs*

Emacs (1)

Jordan Catalano (915885) | more than 7 years ago | (#18794153)

Off-topic, but...

Richard Stallman is giving his "Copyright and Community in the age of computer networks" lecture at Johns Hopkins tomorrow morning. For anyone who's heard it already: worth taking an early lunch to go hear? How long does it run?

Re:Quick (3, Funny)

aichpvee (631243) | more than 7 years ago | (#18794163)

Does that include a decent text editor yet?

Re:Quick (2, Funny)

Anonymous Coward | more than 7 years ago | (#18794441)

Sure, it comes with a preinstalled vi implementation.

Re:Quick (2, Funny)

Jugalator (259273) | more than 7 years ago | (#18794355)

Tsk, tsk, Linux users these days...
I type OpenOffice.org Writer XML in VI... In the format's ZIP-compressed form!

Re:Quick (1)

renegadesx (977007) | more than 7 years ago | (#18794037)

Vi

Re:Quick (1)

laejoh (648921) | more than 7 years ago | (#18794259)

What magical office software do you use that is apparently 100% bug free?

Latex, the writer offer(s|ed) cash for bugs found

Re:Quick (1)

DrSkwid (118965) | more than 7 years ago | (#18794823)

The one I have the source code for.

Scary (5, Insightful)

nicolas.kassis (875270) | more than 7 years ago | (#18793231)

The fact that a simple Word document can cause such a big problem is really sad. How can you tell a few thousand of people not to open word document attachment? I mean, where I work, users receive tons of documents (pdf, office, autocad) files by email from vendors and such, I guess the only defense is good email filtering but still a 0-day attack would make that useless.

Re:Scary (1)

hcmtnbiker (925661) | more than 7 years ago | (#18793335)

Remember OO has had its share of exploits as well. Why would you ever open anything not from a source you know if you where in the State Department? All this really shows is the ignorance of our government(and I can say OUR because every government shares in ignorance). I'm sure the guy who opened it had someone behind him saying "It's only a Word document, how could that do anything? See what it is."

Re:Scary (1)

tubapro12 (896596) | more than 7 years ago | (#18793365)

Exactly. One would think people would be smarter about security in something as high as the state department.

Re:Scary (1)

nicolas.kassis (875270) | more than 7 years ago | (#18793505)

Even a document from someone you trust can't be trusted yet the risk is outweighed by the speed benefit of email. Maybe the state department should go to text only email with no attachments. Copy pasting documents into emails mught help mitigate future attacks.

slight modification to your proposal (2, Interesting)

drachenstern (160456) | more than 7 years ago | (#18794249)

One of our clients email is setup so that if you send them an attachment without a particular second attachment, their firewall drops the attachment and only gives you the file. Lemme spell it out for the slow students in the class.

A customer needed an instruction for how to remove the lid from a specialty box. (for field support purposes, the field guys could be morons, so better to have something from the vendor)

He calls me and asks for it, I whip something up in PDF and shoot it over to him.

He calls me and says, got your email but not the attachment.
Me: Huh?
Him: When I send this email, reply to it and keep the attachment that's there and attach the ddoc again.

So, why is the US Govt not using the same thing? Can it really cost that much to implement (obv not)

Re:Scary (1)

aichpvee (631243) | more than 7 years ago | (#18794221)

Maybe when we get people running the government who care more about governing than packing all the departments with cronies we'll have a chance. But even then I still wouldn't bet on it.

Re:Scary (3, Interesting)

shawn(at)fsu (447153) | more than 7 years ago | (#18793575)

Why would you ever open anything not from a source you know if you where in the State Department? ...
FTA (which isn't entirely clear.
The mysterious State Department e-mail appeared to be legitimate and included a Microsoft Word document with material from a congressional speech related to Asian diplomacy, Reid said. By opening the document, the employee activated hidden software commands establishing what Reid described as back door communications with the hackers.
It's not clear but I wouldn't be so quick to say the employee was stupid for opening an email with out knowing the source. If it appeared legit and it was just a plain word doc with not VB scripts then it's not all his/her fault.

And why are you taking aim at governments in particular, any government corporation or single home user could have been fooled by this.

Re:Scary (1)

ArsenneLupin (766289) | more than 7 years ago | (#18794709)

And why are you taking aim at governments in particular, any government corporation or single home user could have been fooled by this.
Because for the government, much more is at stake than for a simple home user. They should have followed trainings instructing them about proper security precautions.

Re:Scary (1)

tftp (111690) | more than 7 years ago | (#18794033)

Why would you ever open anything not from a source you know

And how, short of digital signatures, would you know who sent the email? SMTP has no method to authenticate the sender, as spammers demonstrate every day. You can send a fake email with nothing more than a telnet app.

Re:Scary (1)

ArsenneLupin (766289) | more than 7 years ago | (#18794723)

And how, short of digital signatures, would you know who sent the email? SMTP has no method to authenticate the sender, as spammers demonstrate every day. You can send a fake email with nothing more than a telnet app.
Nowadays, there are workarounds, such as SPF. If it passes SPF (and if SPF was properly set up by the domain being verified), you can assume with some confidence that the mail is legit.

And, in case of mails purporting to be from the government itself (as was apparently the case here...): why isn't their MTA rejecting all mails that claim to be internal but came in via the public internet rather than the VPN?

Re:Scary (5, Insightful)

mrbluze (1034940) | more than 7 years ago | (#18793559)

The fact that a simple Word document can cause such a big problem is really sad. How can you tell a few thousand of people not to open word document attachment?

Of course this is a popular article because it's more evidence of how Microsoft's 'professional' products are so amateurish, but you're right, you can't tell thousands of people not to open an attachment.

The root of the problem doesn't lie in Word documents, or Word for Windows. The problem lies in Windows, period. The operating system is practically incapable of separating important and sensitive data from junk-mail and untrusted documents from the outside. In such a place as the State Department, it's scandalous.

Whilst hypothetically, Linux is also vulnerable (eg: through some flaw in Open Office), a properly configured system could protect itself without needing to rely on the end user to manually screen every bit of junk they come across. Sure there would potentially have been some corruption of data, maybe some low level leakage, but really, this all points to a hopelessly overcomplicated and poorly designed OS. Naughty Bill!

Re:Scary (3, Interesting)

Architect_sasyr (938685) | more than 7 years ago | (#18793747)

It's interesting to note that the compromises on our machines don't occur on our terminal servers or the critical PC's, they only occur on the one's that "absolutely must have" administrative access on their local machine.

A properly configured windows system is as secure as a properly configured linux system (well, in this case anyway!). And in case your wondering: If our helpdesk can't solve the issue within 15 minutes the PC is re-imaged no questions asked no data saved. People store stuff on network servers because they're told to, anyone who doesn't comply with IT is made to suffer the consequences.

Re:Scary (4, Insightful)

ozmanjusri (601766) | more than 7 years ago | (#18793793)

If our helpdesk can't solve the issue within 15 minutes the PC is re-imaged no questions asked no data saved.

Christ on a stick! That's a bloody good reason to hide EVERY problem from the IT Nazis.

Does anyone ever get any work done?

Re:Scary (5, Interesting)

Architect_sasyr (938685) | more than 7 years ago | (#18794393)

Actually its a very effective method for both the IT team and the people who desperately need the administrative access. IT aren't required to understand every little john doe program that these people can want to install so they don't have to support them (this is very clearly communicated to these users).

It also means that we have a relativly standardised form across the board despite having PC's everywhere and very quickly weed out the users who think they're smart but aren't really.

An example of a good operator: there's a bloke over in administration who I would swear used to work in IT. He's got Open Office installed when everyone else uses Microsoft Office, he uses firefox, thunderbird and trillian for his messenger. About 500 theme packs and a few other bits of software. According to our helpdesk logging system he has only ever called once, and this was when he patched himself for the new daylight savings time last year. Everyone else had the problem as well.

Also, so that those who aren't aware know, you don't have to be a local administrator to install a network printer. Anyone hooking a printer directly to a PC in a corporate environment is either a director or an IT who has lots to learn.

Re:Scary (2, Interesting)

Raideen (975130) | more than 7 years ago | (#18794525)

As the GP stated, "People store stuff on network servers because they're told to, anyone who doesn't comply with IT is made to suffer the consequences." Keeping data on the individual PCs is costly. In an environment that's setup properly (folder redirection at least, no write access to the hard drive outside of the home directory, maybe the addition of roaming profiles), there's no reason to worry about data stored on the local disk. If they re-image the machine and you still have issues, swap out the hardware and you're working again. Such policies can easily save a user hours of downtime and it also saves the time of the IT staffer. It all translates into saving money for the company.

Re:Scary (1)

Phroggy (441) | more than 7 years ago | (#18794619)

Christ on a stick! That's a bloody good reason to hide EVERY problem from the IT Nazis.

Does anyone ever get any work done?
Of course!

The IT department gets LOTS of work done! Very efficient. :-D

Re:Scary (2, Interesting)

tftp (111690) | more than 7 years ago | (#18794059)

A properly configured windows system is as secure as a properly configured linux system

It is also unmanageable by the operator. The IT does not have time to run around and help everyone when he needs to connect to a printer, for example, or install an approved, free or site-licensed piece of software. A simple XP user can't even change his own preferences in Word; a power user can't connect to a printer (but can install some software.) The XP privileges and their effects are as chaotic as they can be.

Re:Scary (2, Interesting)

dave1g (680091) | more than 7 years ago | (#18794345)

actually you can. you just have to be hard core like the military. I work for a military contractor (a university research lab) we received an email telling us to not use word documents what so ever for a certain period of time. and if we didnt comply we lose our contracts. all attachments were being made in rich text format, some of the non techies were scrambling to figure out how to do it but life went on.

not trying to excuse microsoft for their shitty product, just saying you can tell people to stop using word for a few weeks if there are real consequences.

Re:Scary (4, Insightful)

Sancho (17056) | more than 7 years ago | (#18793627)

Runing ./configure or make or make install could cause just as large a problem. Do you read through those scripts before running them?

Furthermore, buffer overflows could exist in just about any program. There could be one in emacs right now, triggered by reading a file into the buffer. Then it would be "scary.. The fact that a simple text file can cause such a big problem is really sad."

Unfortunately, they didn't disclose the nature of the vulnerability. "hidden software commands" in the mass media could be anything from shellcode to an executable embedded in the document, to a macro. Since Microsoft patched it, it was probably either something that autoran or an overflow.

Re:Scary (4, Insightful)

jkrise (535370) | more than 7 years ago | (#18794067)

Runing ./configure or make or make install could cause just as large a problem. Do you read through those scripts before running them?

Furthermore, buffer overflows could exist in just about any program. There could be one in emacs right now, triggered by reading a file into the buffer. Then it would be "scary.. The fact that a simple text file can cause such a big problem is really sad."


Nice attempt to evade the issue by raking up redundant matters. The crux of the problem here is that MS Word needs or provides Internet access for some of it's functions. Even if it had any buffer overflows, the problem would not be exploitable from remote systems.

The fact that Word is designed to occasionally talk over the internet coupled with it's hooks into the OS via things like VBA etc. is the problem. In fact, the main problem here is not Word or Office, it is the Windows architecture that is vulnerable.

Re:Scary (4, Informative)

ArsenneLupin (766289) | more than 7 years ago | (#18794771)

The crux of the problem here is that MS Word needs or provides Internet access for some of it's functions. Even if it had any buffer overflows, the problem would not be exploitable from remote systems.
Although Word does probably provide Internet access to its macros and other nasties, this was not a necessary condition for this to work. Even if MS Word didn't have any code within to connect to the internet, any supposed exploit would have been able to supply its own. And from the looks of it, this is what happen here. Apparently, this was some kind of call-back program that would somehow tunnel out through the firewall, connect to the hacker's control console and accept instructions from there.

Such a thing is rather complex, and probably not pre-existing within word. It was brought in by the trojan itself.

Re:Scary (1)

jkrise (535370) | more than 7 years ago | (#18794917)

Apparently, this was 1. some kind of call-back program that would somehow tunnel out through the firewall, connect to the hacker's control console and accept instructions from there.

Such a thing is rather complex, and probably not pre-existing within word. It was brought in by 2. the trojan itself.


1. Excuse me... how would such a call-back program be initiated, and how would it perform the desired function? Does it not mean that Word has the provision / bug of being able to initiate external programs that can perform actions at a higher privilege than the user reading the document? Is that not a serious architectural bug in Word AND IN Windows as well?

2. I think 'the trojan' is a weak and misleading description for this program. It is an exploit for a hole in the operating system... nothing less.

Frankly, I wonder how you can speculate with any accuracy regarding this problem, since the article is extremely short on meaningful data regarding the bug exploit.

Re:Scary (2, Insightful)

wvmarle (1070040) | more than 7 years ago | (#18794129)

Runing ./configure or make or make install could cause just as large a problem. Do you read through those scripts before running them?

Of course I don't. Nobody does. But the difference is, I wouldn't run a script like that when receiving it via e-mail, unless specifically requested from the sender. Word documents are another matter. I regularly (few times a week) get them unexpected, from unknown origin, and do open them. That is because I am expecting new sales/purchase leads from new customers/suppliers - that's part of my business. And often they send their info as ms word attachment. That said, I use Linux/OOo so not much risk opening doc files.
The scripts I run are downloaded from "trusted" sources - websites of known open-source software, collection sites like sourceforge, etc.

Wouter.

Re:Scary (1)

FranklinDelanoBluth (1041504) | more than 7 years ago | (#18794229)

Runing ./configure or make or make install could cause just as large a problem. Do you read through those scripts before running them?

Better yet do you know that you're compiler isn't hardcoded to put backdoors in programs?

Re:Scary (1)

oGMo (379) | more than 7 years ago | (#18794243)

Runing ./configure or make or make install could cause just as large a problem. Do you read through those scripts before running them?

Running configure and make on a package from a "reputable" source is not the same as opening random documents people send you in an email. Or do you routinely have source packages mailed to you which you blindly build?

I say "reputable" because while, in theory, you could download a source package from, say, sourceforge, that someone had trojaned, there are a number of factors which make this an unlikely vector:

  • This would be found quickly by users, reported, and removed from sourceforge in short order
  • There are high odds that, if the piece of software you are using is generally usable and of wide appeal, there are a lot of other people who use it, and the maintainers are well-known (how many big open source projects are done anonymously?)
  • The user in question would immediately lose all trust; no one would take patches or allow repository/site access to this person again
  • You'd quickly hear about it on slashdot and other news sites

Yes, this could happen. It might happen. In fact, though a slightly different situation, gnu.org was hacked [slashdot.org] a few years ago. All the potentially-compromised code was dumped and reevaluated. This was basically a worst-case scenario: a trusted distributor was compromised. Yet they survived.

(As for claims of "well what if it were really well hidden!" ... these things don't hide well. It's easy to notice extraneous network traffic and processes. If there was an extensive rootkit hidden in the source, it might be one thing, but the more complicated you get, the less chance you have of portability and success. This is the strength of polyculture.)

Furthermore, buffer overflows could exist in just about any program. There could be one in emacs right now, triggered by reading a file into the buffer. Then it would be "scary.. The fact that a simple text file can cause such a big problem is really sad."

This particular example is rather silly; however even if it were the case for the sake of argument, it's not the same: exploiting a buffer overflow in emacs as a regular user will not give you root access to the system.

In the end it comes down to a lack of trust of Microsoft. A single, opaque source, whose security and design practices have a history of being laughable, little evidence of proactivity on the issue, and no way to verify anything they say. You pay them, they say "trust us!", and yet, there is repeated evidence that there is good reason not to trust them.

Re:Scary (1)

ArsenneLupin (766289) | more than 7 years ago | (#18794843)

This would be found quickly by users, reported, and removed from sourceforge in short order
Why the conditional tense? Such things have already happened several times. And indeed, they've usually been located within days, but during that time, other people already have downloaded, built and run the trojaned packages.

There are high odds that, if the piece of software you are using is generally usable and of wide appeal, there are a lot of other people who use it, and the maintainers are well-known (how many big open source projects are done anonymously?)
What usually happens is that the distribution system is hacked, i.e. a third party somehow manages to slip a backdoor into a reputable program. Or maybe a minor contributor submits a "sneaky" patch that appears to fix a bug, but introduces another one using a well-placed typo. If this is sneaky enough, or if the main author is too trusting, this could indeed wreak some havoc.

if(uid = 0) {
perform_some_operation();
} else {
raise_error();
}
Yes, this particular example would raise warnings if compiled using -Wall, but a skilled attacker could introduce stuff which is less easy to detect.

The user in question would immediately lose all trust; no one would take patches or allow repository/site access to this person again
That minor contributor would use a throw-away account, and never troll under the same name again.

You'd quickly hear about it on slashdot and other news sites
And indeed, there have been several reports of such incidents on Slashdot (but I'm too lazy to look them up right away. But as far as I remember, big names such as OpenSSH and FreeBSD have been affected). AFAIR, most such incidents involved security holes in the repository sites, rather than "sneaky" patches.

You don't read your scripts? (1)

MillionthMonkey (240664) | more than 7 years ago | (#18794301)

Do you read through those scripts before running them?

Are you suggesting I don't read all my make install and ./configure scripts?

I review my scripts for correctness every morning before I kick off my kernel recompile and take my shower.

Re:Scary (1)

sumdumass (711423) | more than 7 years ago | (#18794465)

Would a buffer overflow give a remote attacker control of the computer? Err let me rephrase that. Would a buffer overflow in emacs when opening a document in emacs give that document the power to notify a hacker it has done it's job and then give that hacker control of the computer with enough access to gain access to other information and retrieve it?

I think the problem of having a problem is as bad as how easy and automated the problem can be. It isn't necessarily that a bug exist but what can be done with the bug and what can be automated to effect it. I'm not sure MS is just like any other software in this example. Or any other software is like MS's in the same ways.

Re:Scary (0)

Anonymous Coward | more than 7 years ago | (#18794793)

The solution would be Open Document Format; if you had many software programs able to read the same document, than an atack will only target one of those programs; all the people using the other programs will be safe

Re:Scary (1)

DrSkwid (118965) | more than 7 years ago | (#18794871)

> How can you tell a few thousand of people not to open word document attachment?

Use an effective mail/document storage system.

(Insert Troll Here) (4, Funny)

WhiteWolf666 (145211) | more than 7 years ago | (#18793261)

Queue the legion of Microsoft apologists, saying things like:
a) It's only because MS Office has the largest market share, this could of happened to any office suite!
b) It's not a big deal, obviously the state department's IT department is incompetent.
c) Damn Hackers, always trying to ruin a good thing!
d) Macs run on Intel processors now, so they're vulnerable too!
e) This is probably because the NSA sponsors SELinux.
f) In Soviet Russia, MS Office hacks YOU!

Did I miss any?

Re:(Insert Troll Here) (-1, Redundant)

Anonymous Coward | more than 7 years ago | (#18793429)

In Soviet Russia, State Department hacks Microsoft Office Documents!

Re:(Insert Troll Here) (1)

rtb61 (674572) | more than 7 years ago | (#18793447)

On the flip side, it would be very interesting to find out whether M$ already knew about this fault, and didn't warn anybody about it, to keep in line with the 'marketing and profits first', 'security and customer costs last' policy, remember in the M$=B$ universe, faults do not exist if they are not publicly declared and they couldn't be bothered patching them.

Re:(Insert Troll Here) (1)

jkrise (535370) | more than 7 years ago | (#18793487)

Did I miss any?

Yes. Imagine a Beowulf Cluster of MS shills and Apple fanboys... oh wait! Isn't that Slashdot already?

Re:(Insert Troll Here) (5, Funny)

Beefchief (808968) | more than 7 years ago | (#18793709)

g) Cue the Grammar Nazi that points out the difference between "cue" and "queue" :)

Re:(Insert Troll Here) (2, Funny)

necrostopheles (865577) | more than 7 years ago | (#18793863)

h) And the one that points out could of != could've

The first is a phrase that doesn't make sense, and the second is a contraction of "could have".

Re:(Insert Troll Here) (1)

ouzel (655571) | more than 7 years ago | (#18794305)

Someone else actually understands that distinction?! Hallelujah! I felt so alone.

Re:(Insert Troll Here) (1)

lilomar (1072448) | more than 7 years ago | (#18793883)

---snip---
cue 2 (kyoo) n. 1. A signal, such as a word or action, used to prompt another event in a performance, such as an actor's speech or entrance, a change in lighting, or a sound effect.
---snip---
from http://www.thefreedictionary.com/cue [thefreedictionary.com]

Re:(Insert Troll Here) (1)

Comatose51 (687974) | more than 7 years ago | (#18793879)

Damn dude, leave some for the rest of us. Now how am I going to get my comment modded up?

It proves a set of closed vs open source arguments (4, Insightful)

postbigbang (761081) | more than 7 years ago | (#18793263)

1) the attack, once found, would have a bevy of coders working on it (we hope, of course)

2) the testing and regression doesn't have the dependency matrix that Word does, and it's likely that if there was a link, it could be both understood and remedied quickly thru an open code supply chain

3) multiple hackers (oops, I mean coders) would likely offer variances of a patch, of which perhaps several would/could be part of the subsequent 'patched' tree

4) eight weeks is a travesty, and that the State Department of the United States of America didn't have an IDF that could detect the abberant traffic is just plain malfeasant. Heads should roll.

Re:It proves a set of closed vs open source argume (1)

beakerMeep (716990) | more than 7 years ago | (#18793427)

I'm not sure what IDF means but from TFA:

The State Department detected its first break-in immediately, Reid said, and worked to block suspected communications with the hackers. But during its investigation, it discovered new break-ins at its Washington headquarters and other offices in eastern Asia, Reid said. At first, the hackers did not immediately appear to try stealing any U.S. government data. Authorities quietly monitored the hackers' activity, then tripwires severed Internet connections in the region after a limited amount of data was detected being stolen, Reid said.

The Commies are Coming !! The Commies are Coming ! (0)

Anonymous Coward | more than 7 years ago | (#18793279)



The Commies are Coming !! The Commies are Coming !!

(bell done rung three times ... come by da-net) /Mah image word is prophecy/

Good Times (2)

QuantumG (50515) | more than 7 years ago | (#18793311)

Ahh, I remember the days when a virus spreading via email was just a silly joke [wikipedia.org] that everyone knew was impossible.

Thanks Microsoft.

Only fooling themselves (5, Insightful)

drago177 (150148) | more than 7 years ago | (#18793313)

At first, the hackers did not immediately appear to try stealing any U.S. government data. Authorities quietly monitored the hackers' activity, then tripwires severed Internet connections

If you find evidence of a break-in, its possible the attackers are also connecting in a way you haven't yet detected. Hope they know what they're doing. Given their reputation, I doubt [slashdot.org] it [slashdot.org] .

Strong Bad had it right when he said... (0)

Anonymous Coward | more than 7 years ago | (#18793357)

...the system is down [homestarrunner.com] .

On a more serious note, FTA, "By opening the document, the employee activated hidden software commands establishing what Reid described as backdoor communications with the hackers."

This is why Word document software should not automatically run a scripting engine. Unfortunately, the article does not say what version of Word or Office were used. Should we assume all are suspectible?

Moo (1)

Chacham (981) | more than 7 years ago | (#18793373)

Investigators found multiple instances of infection, informed Microsoft, then had to sever internet connectivity to avoid leaking too much data!"

Not only were they infected, they were infected multiple times! And then, completely delerious, they thought Microsoft was informed. And then--horror of horrors--they has to amputate their internet connection before they leaked.

Normally, i like the sob story, but this is TMD, Too Much Data.

The airlock is closing... (3, Funny)

djupedal (584558) | more than 7 years ago | (#18793437)

"...then had to sever internet connectivity to avoid leaking too much data!"

"Cap'n, we're having a wee bit 'o trouble in IT - we're leaking data down here like no one's bloody business - we may have to sever communications!"

"Scottie - is it really that bad...? Isn't there some alternative that will buy us more time??!! I need more time, dammit man!"

"Cap'n, I'm only a Star Fleet Engineer, not the Queen's magician..."

"Well, Engineer...see if you can pull a rabbit out of your ass and buy me five more minutes before you cut us off. That's all we need to make the jump, and after that you can cut your nuts off for all I care!"

"Aye, Cap'n...do me best - one shit-stained rabbit, com'n up - IT out!"

Re:The airlock is closing... (-1, Offtopic)

Anonymous Coward | more than 7 years ago | (#18793831)

This reminds me of a joke I heard Eddie Murphy tell once. A bear and a rabbit are shitting in the woods. The bear asks the rabbit "Do you have problems with shit sticking to your fur?" The rabbit answers no, so the bear wipes his ass with the rabbit.

Re:The airlock is closing... (1)

wordsnyc (956034) | more than 7 years ago | (#18794061)

That makes a lot more sense if the rabbit says "Yes."

OS and Apps must be seperate! (2, Insightful)

jhfry (829244) | more than 7 years ago | (#18793461)

Anytime that applications are allowed to access files or capabilities beyond what is absolutely necessary to perform their function, there is a risk.

Microsoft has created some of the most powerful office tools by leveraging tons of existing code that wasn't exactly designed for the intended purpose.

For example, I love VBA (visual basic for applications)... it can make it very easy to turn a basic spreadsheet into a pseudo application. The problem is, VBA has too many ties to the OS.

That's where "sane" operating systems differ. User space and the OS are heavily separated, in fact, user space for each user is separated from other users, and almost all services run as a unique user. This intentional separation provides very robust security, and is absolutely necessary to creating a secure system.

I cannot blame anyone but MS for this... and not the MS Word or Office team. If the OS were properly designed so that user space applications were properly separated, issues such as this would not exist.

The best part is how long in coming the patch for this is... if these systems were running anything open source, a preliminary patch would be made in a matter of hours (assuming that it was posted immediately to an appropriate mailing list or IRC channel).

I can't wait until the saying is changed to "Everybody is getting fired for buying Microsoft"... because, IMO, any IT manager who gives a shit about the "INFORMATION" portion of their title should be fired for trusting it to MS's proprietary bullshit!

Re:OS and Apps must be seperate! (4, Insightful)

goofballs (585077) | more than 7 years ago | (#18793631)

That's where "sane" operating systems differ. User space and the OS are heavily separated, in fact, user space for each user is separated from other users, and almost all services run as a unique user. This intentional separation provides very robust security, and is absolutely necessary to creating a secure system. I cannot blame anyone but MS for this... and not the MS Word or Office team. If the OS were properly designed so that user space applications were properly separated, issues such as this would not exist.
this has nothing to do with separation of the user space- the app is run as a unique user, and the information stolen is that available to that user. there is no suggestion that privilege escalation occured in this attack.

Re:OS and Apps must be seperate! (1)

jhfry (829244) | more than 7 years ago | (#18793907)

The article was indeed light on details... but it suggested that once they had gained access to ONE machine via this document they were able to access data on the US Government network (I am assuming global network here). This tells me that whatever this document allowed granted the cracker access to more than what was on this user's computer, or even what this user was allowed to access.

I cannot claim for certain that a similar exploit couldn't be done in a more secure, by design, operating system. However I suspect that it would be unlikely that you would find an operating system like Linux, OSX, Solaris, or AIX running a word processor application (or any productivity application) that can install a rootkit or other package allowing access to the local system (beyond the current user's rights), let alone the network. Such a design would be "insecure" and not tolerated by the community.

It's a different mindset. Windows tries to cater to everyone, unfortunately "everyone" includes the crackers of the world. To make a secure system, you must be willing to limit the capabilities of your developers and users. All security comes at a cost. Most software is willing to accept that cost, and limit or inconvenience the user to some degree, in exchange for added security. It's a balancing act, too much security and the user cannot achieve their goals... not enough and it doesn't matter 'cuz the system is pwned!

I feel that in many ways, the Windows OS developers have leaned a bit too far toward user freedom... now users expect it, and are not satisfied when their OS limits them. Until recently, most users were annoyed if they needed to enter a password to use their machine.

I still remember my girlfriends words when I installed our new Mac. "Do I have to have a password? It's annoying to have to type it in all the time.". I simply said "no, you don't need one. But I will need to restrict your account from doing much of anything on the computer, and you won't be able to access any music or photos I share on the server." She relented... and know what, once I explained why, she actually appreciated the need for a secure user account and I haven't heard one complaint since. In fact, I finally got her to stop using the same password for every site, and she doesn't let the browser save her passwords anymore either.

How the **** is this insightfull? (3, Informative)

Mr 44 (180750) | more than 7 years ago | (#18794039)

Wheres the -1, Misinformed?

That's where "sane" operating systems differ. User space and the OS are heavily separated, in fact, user space for each user is separated from other users, and almost all services run as a unique user. This intentional separation provides very robust security, and is absolutely necessary to creating a secure system.

Are you implying that is not the case with windows??? A quick look in task manager shows some system processes running as your user account, some as "LOCAL SERVICE", some as "NETWORK SERVICE", (both restricted accounts) and some as "SYSTEM" (=root). And a quick look at top on my linux box sure doesn't show "almost all" services running as unique users.

And sure, its up to the administrator to configure it so the user account is not an administrator, but I've never seen a government system where a domain user account has local admin rights.

In the specific case of this vulnerability, the word document was able to run arbitrary executable code as the current user. This presumably allowed access to network shares, and then sending the data back out (via HTTP most likely). That sort of thing would be possible with any operating system.

The only area you are correct in is that on linux the flaw could be patched quicker... But in a large organization, it likely could still be preferable to block the exploit with IDS/firewall rules than by rolling out a client patch...

Microsoft Logic (1)

vertigoCiel (1070374) | more than 7 years ago | (#18793509)

Gotta love it. From TFA:

"If we release a security update that is not adequately tested, we could potentially put customers at risk."

I'm sorry, were the customers not at risk before? I don't understand. How could a security update expose more security holes, unless it were coded by a dumbass?
Oh, wait...

Re:Microsoft Logic (3, Informative)

neil.orourke (703459) | more than 7 years ago | (#18793615)

It doesn't necessarily mean that there are more security holes. Remember the Win2K patch that killed Compaq desktops with a particular network card?

Surprise! State department compromised. (-1, Flamebait)

zippthorne (748122) | more than 7 years ago | (#18793557)

To be fair, the State dept. comes precompromised. That's what you get when you hire foreign nationals, communists and spies: The sincere Chamberlains are just elbowed out of the way. so I fail to see how a lil' word bug could make things any worse.

Opendoc (2, Interesting)

Billly Gates (198444) | more than 7 years ago | (#18793561)

Well its a good thing the government standardizes on opendoc and does not cater to special interests like Microsofts lobbiests when making requirements for secure workstations.

Microsoft is Like Internet of Old (4, Interesting)

tymbow (725036) | more than 7 years ago | (#18793601)

I had an interesting discussion the other day with some colleagues and we came to a consensus that many Microsoft products were and still are, or at least inherit, a design philosophy similar to that of the Internet when it was first created. The Internet was built on a basis of implied trust and as we have seen in present times, particularly with e-mail and the SMTP protocol, this model of design is a poor foundation. To counter these issues we need to design more and cleverer countermeasures in an escalating war with miscreants; a parallel we also see in Microsoft products with never ending cycle of Anti-Virus and Anti-Spyware updates and patches required to deal with both programming flaws are poor design choices that assumed trust (recall the ILOVEYOU debacle). The real kicker is that you could argue that many of the problems we now face on the Internet are largely due to poor design in Microsoft software which as I noted parallels an original design methodology of the Internet. We've had several articles earlier in the week pushing a view that the Internet needed to be re-architected due to its flawed security design (although I think it's more about commerce and control but I won't go there for now) - is it not also time to re-architect Microsoft and their approach to developing products? Would we even have these problems if not for Microsoft? My two cents.

So, I take it that they haven't found that... (1)

flyingfsck (986395) | more than 7 years ago | (#18793663)

...rigged Excel spread sheet that wires money to ElQaida yet... ;)

Must suck to be Lenovo... (5, Funny)

cunina (986893) | more than 7 years ago | (#18793703)

...knowing that your products were banned from the State Department for some theoretical and highly unlikely exploit, while Microsoft Word continues to be used there despite a documented (no pun intended) security breach attributed to it.

open formats alone won't save you (3, Insightful)

secPM_MS (1081961) | more than 7 years ago | (#18793791)

It is easy to condemn Microsoft for the vulnerabilities in Office, but the root issue here is the rich functionality in modern office suites. Office came to dominate the market by its rich functionality, tight integration, and ease of use. The addition of sophisticated scripting functionality allowed organizations or integrators to add yet more value. It also created a fertile environment for malicious attackers. As long as the Windows operating system was easily broken, nobody bothered much with attacking the application stack. As Microsoft has raised the bar in the attack resistance of the operating system, attacks have moved up the stack. I was not at MS at the time, but I do not believe that security has at the top of the stack for Office 11 and earlier. I do know that substantial hardening was performed on Office 12, which I believe is now marketed as Office 2007. From my point of view, Office 12 should be viewed as a very important security update to Office 11. I know, they changed the UI. I wish they had left a "classic" option. They didn't. But Office 12 is far less vulnerable than Office 11.

In their determination to sucessfully match Office's rich features, Open Office has acquired similar vulnerabilities. One evaluation I saw some time ago concluded that Open Office was likely to be more vulnerable than Office.

If you want to be secure, run software that does what you need, and NO MORE! Rich functionality and extensibility are the attack points. Not many people want to restrict themelves to txt files or filtered html, let alone edit any longer with editors such as vi or microemacs. Due to their extensibility, pdf and postscript are suspect in the eyes of the truly paranoid, let alone the complex modern formats.

Re:open formats alone won't save you (0)

Anonymous Coward | more than 7 years ago | (#18793947)

No, the problem is that Microsoft doesn't know shit about security in their goddamn applications. They have a longstanding, proven track record of massive holes in their software that proves this.

State Dept: use Linux and OpenOffice.org. If you don't learn from this mistake, you are all a bunch of idiots. Well, I already believe you're idiots, but that's beside the point.

It was a Nuklear attack? (0, Troll)

infonography (566403) | more than 7 years ago | (#18793983)

I really think it's overdue to wipe away to cronies and have a professional semi-nonpartisan bureaucracy.

Well in my office (4, Insightful)

th3rmite (938737) | more than 7 years ago | (#18794081)

Most people who are not familiar with IT in the US Government have NO IDEA how dependent even the military is on MS products. Think MS based virii, worms and exploits aren't on classified networks? Networks that don't even share a common hardware link to the internet...

mod do3n (-1, Troll)

Anonymous Coward | more than 7 years ago | (#18794101)

private sex party about who` can rant survey which (Click Here be fun. It used to have to decide or mislead the

oh good lord (2, Interesting)

Essequemodeia (1030028) | more than 7 years ago | (#18794185)

Thank god there are no file sharing users/security risks at the State Department. It's better to populate an important governmental agency with drones as opposed to internet savvy employees who can't assist network administrators by giving them a slightly more informed heads up regarding odd or bizarre 'puter goings-ons. I hate my own sarcasm. Hate it.

Re:oh good lord (0)

Anonymous Coward | more than 7 years ago | (#18794743)

I suggest you read the article, in which Reid outlines what the chain of events was and what the reactions to each step were. Then perhaps when *you* ever deal with 3,000+ machines in over 20 countries and 5 timezones from your's, which is at least half a *day* behind the infected IT shops, you might have a little bit better picture of why things were apparently done the way they were.

It's far easier to condemn than it is to understand.

Word 2007 Flaws Are Features, Not Bugs (1)

someone1234 (830754) | more than 7 years ago | (#18794217)

According to MS, this is the normal course of operation. [slashdot.org]

Re: Word 2007 Flaws Are Features, Not Bugs (0)

Anonymous Coward | more than 7 years ago | (#18794503)

Those aren't open infected sores on her they are some of her better features.

Scanning at the mail server. (3, Interesting)

MulluskO (305219) | more than 7 years ago | (#18794375)

A sane email policy blocks executable files and archives containing executables, but allowing dot docs in is probably unavoidable.

I wonder then, if it might be possible to scan a Word document for stuff that's not needed. Treat all dot docs that have VB in them as executables and block them out. You might go so far as to attempt intelligent analysis of the document to make sure it consists only of code that would reasonably be generated by a human being. Perform sanity checks on certain variables and so on.

Re:Scanning at the mail server. (0)

Anonymous Coward | more than 7 years ago | (#18794905)

ODF because of its simplicity actually already has mail server products offering to clean out the ODF document coming in or going out from the inside (URL:http://www.3bview.com). So you don't necessarily have to lie back and think of Redmond with Office Documents - you should actually be able to dismantle them at entry point.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?