Microsoft Issues Zero-Day Attack Alert For Word

Slashdot ^ | 12/05/2006 | kdawson

[sionnsar]

0xbl00d writes "Eweek.com is reporting a new Microsoft Word zero-day attack underway. Microsoft issued a security advisory to acknowledge the unpatched flaw, which affects Microsoft Word 2000, Microsoft Word 2002, Microsoft Office Word 2003, Microsoft Word Viewer 2003, Microsoft Word 2004 for Mac and Microsoft Word 2004 v. X for Mac. The Microsoft Works 2004, 2005 and 2006 suites are also affected because they include Microsoft Word. Simply opening a word document will launch the exploit. There are no pre-patch workarounds or anti-virus signatures available. Microsoft suggests that users 'not open or save Word files,' even from trusted sources."

[sionnsar]

Microsoft Security Advisory (929433)

Vulnerability in Microsoft Word Could Allow Remote Code Execution

Published: December 5, 2006

Top of section

Microsoft is investigating a new report of limited “zero-day” attacks using a vulnerability in Microsoft Word 2000, Microsoft Word 2002, Microsoft Office Word 2003, Microsoft Word Viewer 2003, Microsoft Word 2004 for Mac, and Microsoft Word 2004 v. X for Mac, as well as Microsoft Works 2004, 2005, and 2006.

In order for this attack to be carried out, a user must first open a malicious Word file attached to an e-mail or otherwise provided to them by an attacker.

As a best practice, users should always exercise extreme caution when opening unsolicited attachments from both known and unknown sources.

Customers in the U.S. and Canada who believe they are affected can receive technical support from Microsoft Product Support Services at 1-866-PCSAFETY. There is no charge for support calls that are associated with security updates.

International customers can receive support from their local Microsoft subsidiaries. There is no charge for support that is associated with security updates. For more information about how to contact Microsoft for support issues, visit the International Support Web site.

Upon completion of this investigation, Microsoft will take the appropriate action to help protect our customers. This may include providing a security update through our monthly release process or providing an out-of-cycle security update, depending on customer needs.

General Information

Purpose of Advisory: To provide customers with initial notification of the publicly disclosed vulnerability. For more information see the “Workarounds and Mitigations” and “Suggested Actions” section of the security advisory.

Advisory Status: Under Investigation.

Recommendation: Do not open or save Word files that you receive from un-trusted or that are received unexpected from trusted sources. This vulnerability could be exploited when a user opens a file.

References	Identification
CVE Reference	CVE-2006-5994

This advisory discusses the following software.

Related Software

Word 2000

Word 2002

Word 2003

Word Viewer 2003

Word 2004 for Mac

Word 2004 v. X for Mac

Works 2004, 2005, and 2006

Top of section

What is the scope of the advisory?
Microsoft is aware of a new vulnerability report affecting Word, which is a component of Microsoft Office. This vulnerability affects the software that is listed in the “Overview” section.

Is this a security vulnerability that requires Microsoft to issue a security update?
Microsoft is developing a security update for Word that addresses this vulnerability.

What versions of Microsoft Office Word are associated with this advisory?
This advisory addresses Word 2000, Word 2002, Word 2003, Microsoft Word Viewer 2003, Word 2004 for Mac, Word 2004 v. X for Mac, and Works 2004, 2005, and 2006.

Why is Microsoft Works Suite is listed in affected software?
Microsoft Works Suite is listed in related software because it includes Microsoft Word.

What causes the vulnerability?
When a user opens a specially crafted Word file using a malformed string, it may corrupt system memory in such a way that an attacker could execute arbitrary code.

How could an attacker exploit the vulnerability?
In a Web-based attack scenario, an attacker would have to host a Web site that contains a Word file that is used to attempt to exploit this vulnerability. In addition, compromised Web sites and Web sites that accept or host user-provided content could contain specially crafted content that could exploit this vulnerability An attacker would have no way to force users to visit a malicious Web site. Instead, an attacker would have to persuade them to visit the Web site, typically by getting them to click a link that takes them to the attacker's site.

In an e-mail attack scenario, an attacker could exploit the vulnerability by sending a specially-crafted file to the user and by persuading the user to open the file.

Top of section

•	An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less affected than users who operate with administrative user rights.
•	In a Web-based attack scenario, an attacker would have to host a Web site that contains a Word file that is used to attempt to exploit this vulnerability. In addition, compromised Web sites and Web sites that accept or host user-provided content could contain specially crafted content that could exploit this vulnerability. An attacker would have no way to force users to visit a malicious Web site. Instead, an attacker would have to persuade them to visit the Web site, typically by getting them to click a link that takes them to the attacker's site.
•	The vulnerability cannot be exploited automatically through e-mail. For an attack to be successful a user must open an attachment that is sent in an e-mail message.
•	Users who have installed and are using the Office Document Open Confirmation Tool for Office 2000 will be prompted with Open, Save, or Cancel before opening a document.

Top of section

Microsoft has tested the following workarounds. While these workarounds will not correct the underlying vulnerability, they help block known attack vectors. When a workaround reduces functionality, it is identified in the following section.

•	Do not open or save Word files that you receive from un-trusted sources or that you receive unexpectedly from trusted sources. This vulnerability could be exploited when a user opens a specially crafted Word file.

Top of section

•	Protect Your PC We continue to encourage customers follow our Protect Your PC guidance of enabling a firewall, getting software updates and installing ant-virus software. Customers can learn more about these steps by visiting Protect Your PC Web site.
•	For more information about staying safe on the Internet, customers can visit the Microsoft Security Home Page.
•	Customers who believe they have been attacked should contact their local FBI office or post their complaint on the Internet Fraud Complaint Center Web site. Customers outside the U.S. should contact the national law enforcement agency in their country. All customers should apply the most recent security updates released by Microsoft to help ensure that their systems are protected from attempted exploitation. Customers who have enabled Automatic Updates will automatically receive all Windows updates. For more information about security updates, visit the Microsoft Security Web site.
•	We recommend that customers exercise extreme caution when they accept file transfers from both known and unknown sources. For more information about how to help protect your computer while you use MSN Messenger, visit the MSN Messenger Frequently Asked Questions Web site. Keep Windows Updated
•	All Windows users should apply the latest Microsoft security updates to help make sure that their computers are as protected as possible. If you are not sure whether your software is up to date, visit the Windows Update Web site, scan your computer for available updates, and install any high-priority updates that are offered to you. If you have Automatic Updates enabled, the updates are delivered to you when they are released, but you have to make sure you install them.

Top of section

Resources:

•	You can provide feedback by completing the form by visiting the following Web site.
•	Customers in the U.S. and Canada can receive technical support from Microsoft Product Support Services. For more information about available support options, see the Microsoft Help and Support Web site.
•	International customers can receive support from their local Microsoft subsidiaries. For more information about how to contact Microsoft for international support issues, visit the International Support Web site.
•	The Microsoft TechNet Security Web site provides additional information about security in Microsoft products.

Disclaimer:

The information provided in this advisory is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

Revisions: 

•	V1.0 (December 5, 2006): Advisory published.
•	V1.1 (December 5, 2006): Advisory updated to provide additional clarity around the investigation.

Top of page

[sionnsar]

Do not open or save Word files that you receive from un-trusted sources or that you receive unexpectedly from trusted sources.

Sigh. Might as well go on vacation...

[jdm]

Can't we all just use Lotus Notes?

[IncPen]

In case you missed it.

[ShadowAce]

[Alouette]

Can't we all just use Lotus Notes?

There is always elm and vi

[MadIvan]

OpenOffice.org time.

Regards, Ivan

[tx_eggman]

Microsoft ... where quailty is job 1.4

[sionnsar]

Microsoft ... where quailty is job 1.4

LOL. (Or maybe I shouldn't... Microsophht HQ is just 2 miles from here...)

[sionnsar]

Can't we all just use Lotus Notes?

Sigh. We switched back to MS Outlook after a couple of years with Notes... and IT *still* hasn't gotten my Outlook address book to work.

[Calvin Locke]

I've been a user since StarOffice in the late 1990s, but there are some things that Word just does better. And more
reliably (including virus attraction).

I've seen no need to upgrade from Word97, for the few things that it does that OO doesn't.

[Dont Mention the War]

Microsoft suggests that users 'not open or save Word files,' even from trusted sources."

Quite a plan you've got there, Ballmer.

[Vermonter]

ping

[Diogenesis]

[rzeznikj at stout]

...and (gasp) Emacs 8^)

[Tanniker Smith]

You know, I still have an old disk drive that I took from an old machine that had a ton of Lotus Notes mail from my last job (the personal stuff that I kept and then transferred to my home machine), but I can't read it.

Actually, I never thought about checking if Outlook will import the stuff. (Note to self:)

TS

[The_Reader_David]

How nice. The only MS code on any of my machines is the older version of Office for Mac that isn't affected by this alert.

Make one wonder what rot the ported from the Windows version into the 2004 Mac version to make it vulnerable.

[TChris]

Microsoft ... where quailty is job 1.4

Microsoft is simply responding to the market. When customers are willing to pay for software that's well-marketed and flashy, but low quality, why shouldn't they provide it? Higher quality costs more to produce.

The majority of consumer software customers respond to marketing, not quality. They're simply too under-informed about their purchases.

Microsoft are masters of marketing. Therefore, they usually win.

[TheBattman]

Don't open any Word documents today.... even on a Mac.

Ping.

[Constantine XIII]

I think nano gets shortshrifted in these discussions. ^_^

[KoRn]

"Microsoft has tested the following workarounds.

Do not open or save Word files that you receive from un-trusted sources or that you receive unexpectedly from trusted sources. This vulnerability could be exploited when a user opens a specially crafted Word file.

Protect Your PC - (Could this mean avoiding their products all together?)

We continue to encourage customers follow our Protect Your PC guidance of enabling a firewall, getting software updates and installing ant-virus software. Customers can learn more about these steps by visiting Protect Your PC Web site.

This being their "workaround" is just funny to me. LOL what a joke!!

[Lonesome in Massachussets]

>> I've seen no need to upgrade from Word97,...

Are you mistaking Word 2003 for an upgrade? I still have Word 97 on my old family computer at home and Word 2003 at work and on my laptop. '97 works fine and if it ducks even one virus, that's gravy.

[rzeznikj at stout]

...as does pico, Scribus, Kwrite, Sam, Kate, Joe, and Ted 8^)

[Constantine XIII]

lol!

[rzeznikj at stout]

The funny thing is that I've got them all on my computer...

[Constantine XIII]

Whoops, we missed gedit! :p

[Darnright]

>OpenOffice.org time.<

Funny you should mention that. I just downloaded a new copy to the laptop my husband's getting for Christmas.

I hate spending such a large amount of money for Microsoft Office. Protection from nasties is an added bonus.

[Salo]

The proper spelling is "Loathsome" not "Lotus." :-)

Can't we all just use Lotus Notes?

BTW, Loathsome Notes uses so much MS code it's generally vulnerable to the same things office products are.

[MadIvan]

I'm a Linux person - largely because of what it's done for my old laptop (which I'm using now) - it's made it as sleek and fast and lovely as anything I could buy in the shops today. I can't think of a single instance in which I've missed Microsoft Office - OpenOffice on Linux is great. In fact, I've had difficult to open documents on my Windows PC at work, which I've had to use Openoffice (for Windows) to open which wouldn't have been viewable otherwise!

Regards, Ivan

[sionnsar]

Not to mention TSE - The Semware Editor.

[sionnsar]

What distro are you using?

[MadIvan]

I use Ubuntu 6.10 ("Edgy Eft").

Regards, Ivan

[Calvin Locke]

Yes, and I didn't explain myself very well.

I only keep Word 97 for envelopes, and the ease of word documents (pasted from Firefox) for d/l to my PDA.

Yes, I could use OO for saving into Word format, but it likes to go to the internet for embedded objects that Word 97
ignores, and since I generally block it, it has to time out, and then, it will sometimes crash.

If I really wanted linked objects...I'd save the damn stuff as a Web Page.

Most "upgrades" are usually bloatware.

Ah, for the days of Brief. I'd include Emacs, but Emacs wasn't exactly svelt.

[Swordmaker]

Windows Word Zero-Day vulnerability apparently also affects Word for Mac - PING!

Solution: Do not open or save Word files that you receive from un-trusted sources or that you receive unexpectedly from trusted sources.

If you want on or off the Mac Ping List, Freepmail me.

[FYREDEUS]

Just don't use versions from 2000-2006 [hmmmm] of software containing Word and you'll be fine...

There goes the number one reason for running Windoze?

Or waitaminute...hmmmmmm...

Interesting news right after they release Vista for corporations & with NEW version of Word/Office coming...suddenly the old versions are ALL broken DANGEROUSLY...and no patch just dont use THOSE...

Quite a plan indeed Ballmer...

[Tribune7]

ping

[Temple Owl]

Get a Mac!

[zeugma]

Microsoft suggests that users 'not open or save Word files,' even from trusted sources."

Best advise I've seen from Microsoft in ages.

[zeugma]

/s/advise/advice/g

 Don't you hate it when you catch mispellings as the thing is posting?
 

 

[zeugma]

edlin?

<shudder>

I generally use sed and awk from the command line to create any documents I need. Editors are for wimp. 

[zeugma]

Ah, for the days of Brief.

Underware made the -best- -editor- -ever-!

There are things I could do with Brief macros in 5 minutes, that I still can't do without spending a hell of a lot of time and effort to do in any editor around today. Best of all, a zipped copy would fit on a floppy. It was a part of my emergency toolkit back in the day.

[publana]

Very interesting indeed since I received my email today from M$ thanking me for participating in their beta program and promising me a complimentary copy of Vista in February (They did not state which version.) I found this hilarious since I chunked every DVD into the trash immediately after the DSL truck dropped it off at my door.

[Constantine XIII]

LOL, now THAT's hard core. ^_^

[MarkL]

Re: elm and vi

...and (gasp) Emacs 8^)

And then there's ed and ex. After all, who really needs to see more than one line of text at a time!

Or xedit! That's a good one, but then it was a big step forward from one of these:

Mark

[MarkL]

/s/advise/advice/g

Don't you hate it when you catch mispellings as the thing is posting?

But your command changed all the instances in this entire thread where one person is trying to advice someone on how to use global substitutions! :-)

Mark

[MarkL]

I generally use sed and awk from the command line to create any documents I need. Editors are for wimp.

Pah! Piker! Real "dudes" use "here documents" exclusively, created at the command line using cat!

I remember using a CRT terminal for the first time! You "young-uns" have it SO easy! When I started, we used hollerinth cards made out of rock! Have you ever tried to create a line of code on an 80 column card made out of rock using a tiny hammer and chisel?

Mark

[ReignOfError]

Recommendation: Do not open or save Word files that you receive from un-trusted or that are received unexpected from trusted sources. This vulnerability could be exploited when a user opens a file.

There. Fixed it.

[ReignOfError]

When I started, we used hollerinth cards made out of rock! Have you ever tried to create a line of code on an 80 column card made out of rock using a tiny hammer and chisel?

Sheesh. You should have at least had a bullpen of pterodactyls to chip away at the stone cards. Dude, Fred and Barney had those.

[ReignOfError]

Can't we all just use Lotus Notes?

Yeah, and we can all nail our testicles to a tree, but that doesn't mean any of us want to.

Well, technically, about half of us would have to nail something else to a tree, perhaps something else beginning with T, but in any case I think we'd rather pass.

[Swordmaker]

Ping