How Do You Handle New MS Word Vulnerabilities? 157
chipperdog asks: "With yet another zero-day exploit of MS-Word document files, what are fellow system admins doing to protect themselves against these threats? I have been blocking all .doc and .dot at the mail and proxy servers until malware scanners have signatures to detect and block the malicious files. Of course, this caused a uproar with the users, as there were continuous calls like: 'When can I send and receive Word files again' and 'I can't get anything done if I can't send/receive Word files'. Any suggestion of sending documents in different formats (like rtf, html, txt, or pdf) results in even more creative user 'feedback'. Has anyone done anything creative in their handling of word files — like having qmail-scanner pipe all .doc attachments through something such as wv to convert them to a less exploitable format?"
You can't... (Score:5, Insightful)
Re: (Score:2)
Because MS's proprietary formats mean that the vulnerabilities in their code preclude easy backup plans should a new exploit like this come out.
I would say that MORE businesses need to be crippled by the threat of infection via Word. Maybe then the powers-that-be in those companies will start looking long and hard at alternatives to Word and software with other proprietary formats. Advise the PHBs: "Well, look, you can either take the risk of $HORRIBLE_WORM_ATTACK or you can deal with no
Re: (Score:2)
I question your use of the word "no" here. I think you are incorrect. Proof of concept exploits are out there and I think it's a matter of time before something nasty gets released.
I'll agree that at least for now the risk is low, but I think that's going to change over time. Further, one needs to assess risk vs. loss. Our shop is a mid-sized lab. We can afford to spend a few hours a week of our IT staff sifting manually through filtered DOC attachments. The consequences of a
Re: (Score:3, Insightful)
Why would banning Word documents bring your company to a halt? Word will open RTF files (for example) just as automatically as it will it's native format. It can save as RTF almost as easily as it's native format, it's at most 2-3 extra keystrokes once in the entire lifetime of the document. RTF handles all the text formatting, images and such that Word's native format does. The only things it doesn't support are the active content and such that malware uses, and I don't see that as a problem. So why should
Re: (Score:3, Insightful)
Re: (Score:2)
sure you can (Score:2)
Re: (Score:2)
Also, do they actually know about these vulnerabilities? I'm a Debian user and they send me an email when vulnerabilities become known. Does Microsoft do this too?
Re: (Score:2)
I believe the usualy reliable Otter is a couple of days out of date here.
Targeted attacks using the Word vulnerabilities [computerworld.com]
Panda reports attack code which they call iTable.A [darknet.org.uk]
For what it's worth, Symantec reports wild occurrences of Word exploits [symantec.com].
Just use OpenOffice rather than cutting them off (Score:3, Insightful)
OpenOffice also runs on more platforms & is developing faster, & the docs are much easier to externally process (they’re basically ZIPped XHTML in a moderately sane format).
Oh, yes, and it’s much cheaper ($0 per seat) &
Re: (Score:2)
At least for now we filter... (Score:3, Informative)
It's frustrating for the end user as they don't have instant access to their attachment (sometimes there's a 4-hour delay before the file can be manually inspected -- still waiting for some def-files!) and it's taxing my staff time-wise to do this (we've got better things to do than check for any monkey-business in word documents). We've suggested everyone convert to PDFs and send THOSE and it's been working but it's still a disruption.
Re: (Score:3, Informative)
"Do not rely on file-name extension filtering. In most cases, Windows will call Word to open a document even if the document has an unknown file extension. For example, if document.qwer contains the correct file header information, Windows will open document.qwer with Word. Filtering for common extensions such as
source [eweek.com]
Re: (Score:2)
Thanks for your concern.
Re: (Score:2)
Extensions & MIME are a hint.
Meta data is not trustworthy
strings (Score:2)
(I'm almost serious).
Rename the files (Score:2)
Re: (Score:2, Funny)
Re:Rename the files (Score:5, Insightful)
Re: (Score:2)
Clueless users can't be trained. IT people have been trying to train them for years, but the malware problem keeps getting worse because these users can't grasp very simplistic concepts. What amazes me is that companies continue to hire people like this that need t
Re: (Score:2, Insightful)
The reason is simple. Such people can be hired for less money per hour. This increases profitability and thus directly affects management's bonuses. That is what matters to management. Any problems caused by this are obviously the technicians' fault .
Open Office (Score:4, Interesting)
Re: (Score:2)
(1) Portable Open Office: http://portableapps.com/apps/office/openoffice_por table [portableapps.com]
It is "no-install" in the sense that the file you download just unzips OO into a folder for you.
If the download size is a big deal, (2) Portable Abiword [portableapps.com] is much smaller, but only does basic word processing stuff.
Re: (Score:2)
Re: (Score:2)
You probably also want to set up OO to save in .doc format as a default (or maybe not!).
This is actually really good timing for the OpenOffice group, as they've just rele
Re: (Score:2)
The stick. (Score:2)
Heh.
The bulk of our traffic here is excel and powerpoint, so limiting word documents hasn't been a real problem. Additionally, corporate used to require stupidly high end router hardware in all parts of the building which was abusive on the budget, but, at times like this, comes in han
Wow... glad you don't work for me. (Score:5, Insightful)
A better solution is to educate the users - send out a mass email explaining the vulnurability, that you shouldn't be opening and doc's you aren't expecting. If you do it is your own damn fault and the timeliness of the fixing of your machine can not be guaranteed. There is no reason to choke business as you have and quite frankly the users have every reason to be upset.
Re:Wow... glad you don't work for me. (Score:4, Insightful)
Re: (Score:2)
Re: (Score:2)
Too bad the resume is the .doc file. We'll put you down under a list of "people who just don't get it". Unless you were trying to be funny. Then we can put you down on the list of "people with no sense of humor".
Re: (Score:2)
Re: (Score:3, Informative)
Users then access the pdf files from the 'safe' area normally, if you want to just ha
Re: (Score:3, Interesting)
I like the position my ISP's HR people take: "The posting said "No Word documents accepted.". The job's as a senior network engineer. It's going to require lots of detective work to troubleshoot obscure and arcane problems. If you can't figure out how to use Word's "Save As" to save in RTF or HTML, you are not qualified for the position. If you can't figure out that "No Word Documents accepted." means we won't be accepting Word documents, you aren't qualified for any position.".
Re: (Score:2)
Re: (Score:2)
I can't understand the appeal of submitting your resume in Word format anyway. If I'm writing a resume I'm normally going through and being a perfectionist and getting everything "just so". The last thing I want to do is spend all that time and then have my resume appear completely differently on my employers computer due to font issues or something. If layout matters (and really, for a resume, you should care) then s
Re: (Score:2)
Just to be pedantic, neither postscript nor PDF make that formatting guarantee either unless you embed all necessary fonts. Ask yourself how many people know how to do that.... :-)
I'd recommend HTML. That way, at least you know that the flow will be sensible, unlike some lovely PDFs I've seen....
Re: (Score:2)
That depends on how the PDF is generated. If you're using PDFTeX then it isn't very hard at all.
Re: (Score:2)
PDFTeX? About three.
Re: (Score:2)
OpenOffice.org embeds all fonts (subsetted) by default. So does PDFCreator or Distiller. I'd be hard pressed to come up with an example of a widely used pdf creation tool that doesn't.
Re: (Score:2)
There's one problem. His HR person reads resumes on a Mac using a 22" monitor with all the bells and whistles. He reads resumes on a system with exactly one font: fixed-pitch Courier, with pages a fixed 80 characters wide and 50 lines high. Both of them have to be impressed by the resume for it to get considered. When deciding that layout matters, think long and hard about your assumptions about how your layout will render. Then there's the question of fonts. Sure, that one font looks great on your system.
Re: (Score:2)
Re: (Score:2)
One word: VT100.
Re: (Score:2)
Re: (Score:2)
He's not 30 years behind the times. He needs to access his e-mail from anywhere, regardless of connection. He might be working on a high-end workstation, a laptop or his PDA. It may not support remote graphics. He can't use a client that stores information locally, because he changes machines all the time. But for anything text, PuTTY or some sort of terminal emulation gives him full access to every one of his office machines from anywhere. Once he has that he doesn't need client software locally, he's got
Re: (Score:2)
Re: (Score:2)
Of course ending this blind reliance upon MS Office would be a nice option, though i can't ever see it happening, the users would riot if they discovered that their viral email attachments didn't behave the same way as they did on carol's computer at
Re: (Score:2)
Re: (Score:2)
Tell them to require that resumés be submitted as
Re: (Score:2)
Welcome to corporate, employee number 877346...
Re: (Score:2)
Re: (Score:2)
He's talking about executable code, not merely information. These aren't documents, they're programs. MS Word just calls them documents.
Your point stands that the users need to be educated, but you should never let them frame the problem dishonestly, as though they were really merely asking to be able to email "information" back and forth. What they are asking for, is pretty bizarre and horrifically unsafe. Yes, I know it'
Re: (Score:2)
It's also number 5 on the list of The Six Dumbest Ideas in Computer Security [ranum.com].
Re: (Score:2)
Only if your company cannot be productive without accepting files that are security hazards. In that case, you have two choices: either you no longer accept the security hazard and take a hit in productivity, or you exchange the certain hit in productivity for a risk of something probably much more damaging. Either way, you pay a price for tying your productivity to known insecure products. Of course, not using these product
Zip the files (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Its pays to be thorough (Score:5, Funny)
The simplest way. (Score:4, Insightful)
Severity < severity (Score:2)
It's likely that OOo and AbiWord only crash when they encounter a malformed file. A crash is a local denial of interactive service, which is a vulnerability of much less severity than an arbitrary code execution.
Quarantine (Score:3, Insightful)
When we have viruses exploiting Word files, part of our security team sends out a notice that says we're temporarily quarantining the files until we can have them cleared. But really, you can't indefinitely stop word files from coming in.
I'll admit I'm too lazy to read the exact detail of the exploit, but shouldn't this whole situation be alleviated by good, layered network security anyway?
Re: (Score:2)
Well, the latest vulnerability allows a malicious word doc to run code on the users machine. Assuming I wrote a userspace piece of malware, I could easy start sending stuff (anything the user has access to, theoretically) out port 80 to a collection point. Since windows will open documents with unknown extension but proper Word headers in word, filterin
Scan, rinse, repeat. (Score:2)
Right now there's no good RPC-exploitable worm for Windows. Any word-based infection is going to be localized to a single machine (or, at most, to those machines a user has remote local administrative rights on). So, we watch. We stay at yellow allert, and we don't panic. Because right now, there's nothing to panic about. The ability to spread a virus/worm/mal* to a single mac
stripping macros (Score:2)
easy (Score:2)
MIMEDefang.. customize mimedefang-filter (Score:5, Interesting)
Any attachments with a
Also to reduce the overhead, get the sha1sum for the word document, and save the pdf to
Before any documents are converted with openoffice, get the sha1sum. if a
This stills allows people to get the content, which is most of the time, all they want.
There is also a program called antiword that will convert ms word documents to text, PDF, or PostScript.
But openoffice does a better job.
Re: (Score:2)
Or use plain text, which will suck if there is any kind of formating in the
Re: (Score:2)
So that attackers can automatically attack your systems (without you having to click) by exploiting vulnerabilities in OOo?
Re: Antiword or Catdoc (Score:2, Informative)
Antiword: http://www.winfield.demon.nl/ [demon.nl]
Catdoc: http://www.45.free.net/~vitus/software/catdoc/ [free.net]
Add this to your
autocmd BufReadPre *.doc set filetype="msword"
autocmd BufReadPost *.doc silent %!antiword "%"
autocmd Filetype msword call s:MyMSWordSettings()
function! s:MyMSWordSettings()
set readonly
MOD PARENT INFORMATIVE (Score:3, Informative)
Thanks for the links. I know this problem isn't proven on OS X, but based on the executive summary I'd suppose it could be an issue, so to Mac OS X people, textutil(1) can read doc and convert to txt, html, rtf, or even webarchive, so you get all the images.
Textutil is in /usr/bin on an install of OS X, and just acts as a wrapper for the OS X text word processing subsystem.
Re: (Score:2)
Thankfully, VIMs presence is.. um.. low, compared to Word. Still, the HORROR! Being owned by a malicious ASCII file!
YMMV
Ratboy
The answer is obvious. (Score:2)
Yet more evidence of the truth and beauty of the Church of Emacs [dina.kvl.dk].
Or, if one is into truly antediluvian forms of worship, Ed, man! !man ed [gnu.org].
Simple (Score:2)
Re: (Score:2)
Sandbox as much as they'll let you (Score:2)
If your users need to send/receive executable code from/to strangers (which is essentially what they're asking for) then you're in a nasty situation.
If you're the boss, one obvious thing to do is to make them sign something to the effect that the cost of cleaning up after their willful unsafe practices, will come out of their own paychecks.
Let's assume you're not the boss.
You can't trust sca
You should be limiting .DOC email exchange anyway (Score:4, Interesting)
Re:You should be limiting .DOC email exchange anyw (Score:2)
Re: (Score:2)
It doesn't take much technical sophistication to handle "update" and "commit", and that's 95% of the operations on this sort of repository. Very little branching, some use of logs...but really, what people need is a place to put documents that fires off commit emails and where it's possible to get a log or pull an old version if necessary.
As far as the sales guys are concerned, it's a lot like a network share, except that they
Obscure Onion reference? (Score:2)
Remove the root cause (Score:3, Insightful)
Risk management (Score:2)
Remember, everyone in your company has a job to do; your job is to help them do their jobs. Sometimes employees will be impacted by security issues; but when their time is spent primarily working around your paranoid security restrictions, then you're hurting your business. Right now, you're more likely to either 1: Get fired, 2: insult an important business client, 3: piss off a valuable employee who will decide to move to a company who doesn't have an @$$h0l3 running their network...
It's good that you
Open Office on a Mac (Score:2)
Fortunately with computers you can just make backups and only loose a day or two of production if everything goes to shit. Not so possible with a head on collision at 50mph.
What Word Documents? (Score:2)
I stopped using Word back in 1997 when I couldn't get a simple (C) to not be turned into a copyright symbol in a document. After several hours of searching help and disabling what seemed like hundreds of preferences that began with "auto," I pasted the document text into Netscape Gold's HTML editor and never looked back.
I've given the PHBs plenty of trouble since then by not accepting DOC files (or later on Excel files either). They can't figure out how to save in any other format (which was my suggesti
Risk (Score:2)
So you block Ms-Word, what's the threat (and it exploited yet which is Likelihood) and finally what's the impact of the threat. Now apply this your actions.
Another thing I'd say various IE issues are more of a risk than little exploited (to date) in Word.
Given the time you are spending, the impact you're having on the business, is your 'fix' worth it?
Filtering... (Score:2)
It's quite easy to filter out things like the jpeg exploit, just try opening it with a jpeg library on the filter server, the exploit jpegs won't load properly and error, or you can convert them on the fly to another image format.
Ofcourse this brings up a risk to your server, but the risk is much smaller, the server is likely to be hardened, could be running many different os's on several different hardwa
Re: (Score:2)
Re: (Score:2, Funny)
Re: (Score:2)
Re: (Score:3, Funny)
Re: (Score:2)
Using Word isn't a reasonable solution. The problem is inherent in the tool you're using. Switch tools.
Re: (Score:3, Informative)
Re: (Score:2)
Re: (Score:2, Insightful)
Being an ex-network administrator, I have come to the conclusion that it is us who save the company tons of money by keeping it safe from exploits. By practicing good security measures, anti-virus installations, ad-ware remover, etc, it usually cuts down considerably on the amount of work it takes to keep the network infrastructure free of viruses and spyware, allowing time to focus on other important factors, such as Word exploits, migration from windows to a linux OS if all it requires is word processing,
Re:I don't (Score:4, Interesting)
Also, to the original question:
Scanning
From the e-week article:
"Do not rely on file-name extension filtering. In most cases, Windows will call Word to open a document even if the document has an unknown file extension. For example, if document.qwer contains the correct file header information, Windows will open document.qwer with Word. Filtering for common extensions such as
Re: (Score:3, Informative)
"Data used by Microsoft Word to construct a destination address for a memory copy routine is embedded within a Word document itself. If an attacker constructs a Word document with a specially crafted value used to build this destination address, then that attacker may be able to overwrite arbitrary memory,"
There's no way to protect from these documents via group policy, short of a group policy that disallows word from running.
Re: (Score:2)
Even "reliable sources" aren't reliable. Most e-mail viruses now don't spam random e-mail addresses to propagate, they scan the user's address book and send their malware-laden messages to those people. So just the fact that the e-mail's coming from someone you know and even that you're expecting a document from them doesn't mean you can assume that e-mail isn't from a virus carrying a dangerous payload.
Open Office is not slow for me. (Score:2)