bit-tech.net

Microsoft warns of Word zero-day vulnerability

Microsoft warns of Word zero-day vulnerability

Microsoft Word's handling of rich-text files (RTFs) has been found to have a serious code execution flaw which is under active attack, with no true patch yet available.

Microsoft has warned customers of an as-yet unpatched zero-day vulnerability in its Microsoft Word and Outlook packages, which is under active attack to take control of targeted systems.

The flaw, described in Security Advisory 2953095, relates to how both Word and Outlook deal with rich-text format (RTF) content. Typically safe from the malware and viruses that have plagued the company's own .DOC format, ne'er-do-wells have discovered a means of embedded executable code within an RTF which is then run under the privilege level of the currently logged-in user when the file is opened in Word or automatically loaded in the preview pane of Outlook.

That latter functionality is what gives real cause for concern: because Outlook versions since 2007 automatically parse RTF content and display it in-line within the preview pane, users can be exploited simply by opening an email - bypassing the usual need for the user to manually open the attached file. This does, however, only work if the system is configured to use Microsoft Word as the email viewer.

'At this time, we are aware of limited, targeted attacks directed at Microsoft Word 2010,' Microsoft's Dustin Childs has confirmed in a statement to users. 'We continue to work on a security update to address this issue. We are monitoring the threat landscape very closely and will continue to take appropriate action to help protect our global customers.'

Although the targeted attacks currently concentrate on Word 2010, Microsoft has confirmed that the flaw exists in Word 2003, 2007, 2010, 2013, 2013 RT, Word Viewer, the Office Compatibility Pack, Office for Mac 2011, the Word Automation Services plugin for SharePoint Server 2010 and 2013, and Office Web Apps 2010 and 2013. The chances of anyone in an office environment not having one or more of the above installed, then, are slim - making this a serious issue.

Currently, there is no patch available. To keep users protected while a more permanent fix is developed, Microsoft has released a Fix It which disables the loading of RTF content into Microsoft Word - closing the hole, but also making it impossible to work with the cross-platform document standard until the flaw is fixed properly.

28 Comments

Discuss in the forums Reply
Umbra 25th March 2014, 10:40 Quote
More people should try "Open Office" it will do what most people want for free and your not on the MS front line with all the scumbags trying to infect your software :(
RichCreedy 25th March 2014, 11:48 Quote
I just tried the fixit on my system, and it came back as does not apply to your system, I have win8.1pro +office professional plus 2013
Snips 25th March 2014, 12:36 Quote
Quote:
Originally Posted by Umbra
More people should try "Open Office" it will do what most people want for free and your not on the MS front line with all the scumbags trying to infect your software :(

Unless you intend to send files to other Microsoft Office users.
Gareth Halfacree 25th March 2014, 13:13 Quote
Quote:
Originally Posted by Snips
Unless you intend to send files to other Microsoft Office users.
OpenOffice (and LibreOffice) support loading and saving to both .DOC and the new DocX format, and the latest Microsoft Office fully supports the Open Document Format used by OpenOffice. I should know: I wrote an entire book in LibreOffice, sending the files in .DOC format to the publisher. Worked fine.
Snips 25th March 2014, 17:10 Quote
As I've said before Gareth, I've been sent files that have been unable to open within Office. It wasn't Microsoft's fault. I was even asked to download a copy of the software to be able to open the file. It never was and we never used the company again. The majority of the business world is using Microsoft Office, if you make an open version, at the very least get it to be compatible with the major player.
RedFlames 25th March 2014, 17:19 Quote
Quote:
Originally Posted by Gareth Halfacree
OpenOffice (and LibreOffice) support loading and saving to both .DOC and the new DocX format, and the latest Microsoft Office fully supports the Open Document Format used by OpenOffice. I should know: I wrote an entire book in LibreOffice, sending the files in .DOC format to the publisher. Worked fine.

While interoperability between the two is a lot better than it was, there's still the odd issue on both sides... TBH I've had more grief with stuff done in iWork [Pages, Keynote and Numbers] than Libre/OpenOffice...

That said, are RTF documents that common any more? Haven't come across/been sent one in ages...
RichCreedy 25th March 2014, 20:40 Quote
yeah I've had customers who have had issues with libre office and open office files when trying to use word/excel files.
wolfticket 25th March 2014, 21:49 Quote
Quote:
Originally Posted by Umbra
More people should try "Open Office" it will do what most people want for free and your not on the MS front line with all the scumbags trying to infect your software :(
Word is quite good though... Especially if you use the bits that most people don't use, and for a lot of people it's what they're comfortable with.

Compatibility is a moot point as it works both ways, but I haven't found it to be perfect by any means working in either direction or indeed between different versions of MS Office..
Most office packages will open files created in others but whether they'll look the same is another matter.

This sounds like a fairly niche exploit since it relies on using Word to preview emails via Outlook. Not a huge issue for most users.
theshadow2001 25th March 2014, 22:09 Quote
Compatibility is ok not brilliant. I reckon most users Professional or otherwise would be fine with what Libre office offers. But they use ms office at work so they use it at home.

Certainly I'll never buy office off of ms when Libre office us around.
Umbra 25th March 2014, 23:08 Quote
Quote:
Originally Posted by wolfticket
Word is quite good though... Especially if you use the bits that most people don't use, and for a lot of people it's what they're comfortable with.

I'm sure it is and I'm not disputing that but I'm too tight to buy software that I don't use that much especially if a free open source program does what I want :D
Alecto 26th March 2014, 07:32 Quote
Quote:
Originally Posted by Snips
Quote:
Originally Posted by Umbra
More people should try "Open Office" it will do what most people want for free and your not on the MS front line with all the scumbags trying to infect your software :(

Unless you intend to send files to other Microsoft Office users.

Why would this be an issue? Microsoft Office is incompatible with different versions of itself so anybody locked into M$ Office ecosystem (either by foolish personal choice or by company decision) is already familiar with formatting getting lost when sending stuff around. Don't want your documents to get all messed up? Don't use M$ Office.
Gareth Halfacree 26th March 2014, 08:05 Quote
Quote:
Originally Posted by Snips
As I've said before Gareth, I've been sent files that have been unable to open within Office. It wasn't Microsoft's fault.
Why wasn't it Microsoft's fault? It certainly sounds like it was as much Microsoft's fault as OpenOffice's fault.

Tell you what, let's get scientific here. You make a file in Word, save it as DocX, and send it to me. Then post a screenshot of Word displaying said file in this 'ere thread. I'll download the file, open it in LibreOffice, and post a screenshot of the same file - and we'll see how good the compatibility really is.

You up for that, Snips?
Snips 26th March 2014, 11:06 Quote
How about you send me the file, since that's the major issue I've had with "open" Office.

"The majority of the business world is using Microsoft Office, if you make an open version, at the very least get it to be compatible with the major player."

I also said that but you cut it from the quote.
Gareth Halfacree 26th March 2014, 11:18 Quote
Quote:
Originally Posted by Snips
How about you send me the file, since that's the major issue I've had with "open" Office.
No need for the scare quotes, Snips; OpenOffice is open. Would you like a copy of the source code?

Here's a file created in LibreOffice and saved as .DocX (although I can provide the ODT version, if you've got a copy of Office new enough to support the Open Document Format), and here's what it should look like:



(Text courtesy Picksum Ipsum.)
Snips 26th March 2014, 13:22 Quote
Yep, that file works fine Gareth. Is that to Microsoft's credit then?
Gareth Halfacree 26th March 2014, 13:32 Quote
Quote:
Originally Posted by Snips
Yep, that file works fine Gareth. Is that to Microsoft's credit then?
No, that's all on the LibreOffice devs; as far as Microsoft Office is concerned, that's a native DocX file. Now, if you want to paint Microsoft in a good light, try it again with the Open Document Format version. If Office loads that without corruption, then yes; that would be to Microsoft's credit. (It should, by the way; as far as I'm aware, ODT support in the latest Office is pretty solid.)
Snips 26th March 2014, 13:36 Quote
Yep, on this device it's only using Office 2007 and it works fine. So is that to Microsoft's credit?
Gareth Halfacree 26th March 2014, 13:46 Quote
Quote:
Originally Posted by Snips
Yep, on this device it's only using Office 2007 and it works fine. So is that to Microsoft's credit?
Absolutely it is, yes. So, we're agreed: compatibility, at least for word processor documents, between LibreOffice and Microsoft Office is fine these days. Huzzah!

Which means, of course, that this:
Quote:
Originally Posted by Snips
The majority of the business world is using Microsoft Office, if you make an open version, at the very least get it to be compatible with the major player.
has come to pass; the LibreOffice team did "get it to be compatible with the major player." Not bad for a freebie, hey?
theshadow2001 26th March 2014, 14:14 Quote
My only major complaint with Libre office writer is the image scaling tool is rubbish. If that was on par with Word it would be superdeeduperdy
Snips 26th March 2014, 20:26 Quote
Quote:
Originally Posted by Gareth Halfacree
Quote:
Originally Posted by Snips
Yep, on this device it's only using Office 2007 and it works fine. So is that to Microsoft's credit?
Absolutely it is, yes. So, we're agreed: compatibility, at least for word processor documents, between LibreOffice and Microsoft Office is fine these days. Huzzah!

Which means, of course, that this:
Quote:
Originally Posted by Snips
The majority of the business world is using Microsoft Office, if you make an open version, at the very least get it to be compatible with the major player.
has come to pass; the LibreOffice team did "get it to be compatible with the major player." Not bad for a freebie, hey?

I have to add that it also opened in wordpad, which is also a freebie so not bad Microsoft.

As other people have also confirmed here, I'm not the only one experiencing these "open" office compatibility issues.
Gareth Halfacree 26th March 2014, 21:16 Quote
Quote:
Originally Posted by Snips
I have to add that it also opened in wordpad, which is also a freebie so not bad Microsoft.
No, it isn't. It's bundled with Windows, which last I checked is a paid-for proprietary operating system. That's like saying that Ford gives away free steering wheels.
Quote:
Originally Posted by Snips
As other people have also confirmed here, I'm not the only one experiencing these "open" office compatibility issues.
Dude, enough with the scare quotes. OpenOffice is open. Here, have the source code. Care to offer me the same for any recent version of Office or Wordpad? Yeah, that's what I thought.

As we've proven, historical compatibility issues are largely a thing of the past. I can send you files made in LibreOffice and you can open 'em just fine. Remember the experiment we just did? Hmm?
Snips 27th March 2014, 15:53 Quote
Quote:
Originally Posted by Gareth Halfacree
Dude, enough with the scare quotes. OpenOffice is open. Here, have the source code. Care to offer me the same for any recent version of Office or Wordpad? Yeah, that's what I thought.

As we've proven, historical compatibility issues are largely a thing of the past. I can send you files made in LibreOffice and you can open 'em just fine. Remember the experiment we just did? Hmm?

Gareth, I'm not out to scare anyone and even though our experiment worked, I received a file this very morning that didn't so I reserve the right to judge the "open" office compatibility issues.

As to the freebie not counting, since you are trying to convince some Windows users to use LibreOffice. Surely it's wise to point out that in this very instance, the software that came with their operating system did the same job and would be ordinarily updated through their normal OS update procedure.

I never claimed that Microsoft Office was the be all and end all of Office Suite software, I was just sticking up for the major player that the majority of office suite users buy/download/use, that for some strange reason get ridiculed for doing so. I've used the software for over 25 years and never really felt the need to look elsewhere. I'm not saying that's right, I'm just saying that's what I do and that you can make an informed choice to use whatever you like.
Gareth Halfacree 27th March 2014, 15:58 Quote
Quote:
Originally Posted by Snips
As to the freebie not counting, since you are trying to convince some Windows users to use LibreOffice.
I'm not trying to convince anyone to do anything. As I frequently have to clarify: I couldn't give two hoots what software anybody uses. You want to use Microsoft Office, more power to your elbow. I just wanted to correct some misapprehensions about the alternatives, including your claim that LibreOffice and OpenOffice (again with the scare quotes - shall I start referring to Micro$oft like it was the 90s all over again?) were completely useless for sharing files with Microsoft Office users. As our experiment proved, that's not true. You can make claims to having received any number of incompatible files you like, but it flies in the face of the very public evidence of our experiment.

Again: anyone is welcome to use whatever software they like. You use Office and it works for you; I use LibreOffice and it works for me. Hooray for choice!
Snips 27th March 2014, 16:25 Quote
Sorry Gareth, text does sometimes come out sounding a little harder than it was meant to.
Gareth Halfacree 27th March 2014, 16:29 Quote
Quote:
Originally Posted by Snips
Sorry Gareth, text does sometimes come out sounding a little harder than it was meant to.
Apology accepted, and I apologise for being in any way unclear in my postings.

Incidentally, did you know you *can* download the source code for Microsoft Word? Granted, only for non-commercial research and experimentation, and it's Word for Windows 1.1a, but still. It's quite fun having a search through for key phrases like 'bug,' 'hack,' 'nasty,' and 'god!'
Corky42 27th March 2014, 16:56 Quote
Quote:
Originally Posted by Gareth Halfacree
Incidentally, did you know you *can* download the source code for Microsoft Word? Granted, only for non-commercial research and experimentation, and it's Word for Windows 1.1a, but still. It's quite fun having a search through for key phrases like 'bug,' 'hack,' 'nasty,' and 'god!'

For those that CBA to download it, some guy has posted some of what he found.
http://storify.com/leonzandman/microsoft-ms-dos-word-source-code-gems/preview
Nexxo 27th March 2014, 17:39 Quote
What I think is interesting that the response to a vulnerability in Word is to argue for using OpenOffice or LibreOffice instead, as if those programs are absolutely secure pieces of software with no vulnerabilities. We know about the Word ones, because it is such a widely-used (and targeted) application. But at the risk of quoting Romsfeld: there are known knowns, and unknown unknowns...
Gareth Halfacree 27th March 2014, 17:53 Quote
Quote:
Originally Posted by Nexxo
What I think is interesting that the response to a vulnerability in Word is to argue for using OpenOffice or LibreOffice instead, as if those programs are absolutely secure pieces of software with no vulnerabilities.
Nobody here has tried to claim that; in fact, the whole OpenOffice discussion began with the claim that its users were safer because it's not as popular as Microsoft Office and therefore isn't under constant targeted attacks, not because it's inherently more secure.

Now, there is the argument that it's easier to find security bugs in open source and free software because you can actually look at the source code; sadly, as recent events have shown, that doesn't always help. Apple's recent "goto fail" whoopsie, as an example, occurred in open-source code; worse, gnutls had an authentication error that could allow for man-in-the-middle attacks for an estimated eight years before somebody at Red Hat spotted it in a security review. Embarrassing.
Log in

You are not logged in, please login with your forum account below. If you don't already have an account please register to start contributing.



Discuss in the forums