Results 1 to 9 of 9

Thread: New Microsoft Word Zero-Day Exploit discovered

  1. #1
    The ******* Shadow dalek's Avatar
    Join Date
    Sep 2005
    Posts
    1,564

    New Microsoft Word Zero-Day Exploit discovered

    With a week to go before Microsoft releases its next batch of security patches, vulnerability watchers are warning of a new zero-day Word flaw that attackers could exploit to take control of Windows 2000 machines.

    The threat was first reported Saturday by Cupertino, Calif.-based antivirus giant Symantec Corp. in an email advisory to customers of its DeepSight Threat Management Service.

    According to Symantec's analysis, Microsoft Word is prone to an unspecified remote code-execution vulnerability attackers could exploit to execute arbitrary code on a vulnerable computer by supplying a malicious Word document to a user. If a recipient opens such a document, an attacker could "gain subsequent unauthorized access to the computer in the context of the user."
    Source
    PC Registered user # 2,336,789,457...

    "When the water reaches the upper level, follow the rats."
    Claude Swanson

  2. #2

    Cool

    So whats new Microsuck is always having problems with something or another at this scale. If they wouldn't try to push it out so fast and worry more about the code than they wouldn't have these problems.

  3. #3
    Gonzo District BOFH westin's Avatar
    Join Date
    Jan 2006
    Location
    SW MO
    Posts
    1,187
    from secunia:
    NOTE: The vulnerability is being actively exploited.

    The vulnerability is reported in Microsoft Word 2000 running on Windows 2000. Other versions may also be affected.

    Solution:
    Do not open untrusted Office documents.
    http://secunia.com/advisories/21735/

    has anyone heard if there are 'other versions' that are affected? ...
    \"Those of us that had been up all night were in no mood for coffee and donuts, we wanted strong drink.\"

    -HST

  4. #4
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,188
    If they wouldn't try to push it out so fast and worry more about the code than they wouldn't have these problems.
    That does NOT fit the facts.

    1. They had 5 years to develop NT 5.0 (Windows 2000) and 4 service packs afterwards.

    2. The previous version of Office to 2000 was 1997 (prior to that it was Office 95 which was delivered late. Compare that to XP (2002) which was followed by 2003?

    So, both the OS and the Office suite have had the longest gestation periods of any in recent years.

    Also, it has taken over 5 years for the bad guys to discover this? Both softwares are effectively obsolete these days?

    westin I don't think so, it seems to be a peculiarity of the combination which probably explains why it has taken so long to come out?


  5. #5
    Senior Member
    Join Date
    Jan 2002
    Posts
    682
    Both softwares are effectively obsolete these days?
    I wouldn't go that far...at least if you are talking about functionally obsolete. I know of lots of shops out there who are "thinkin about upgrading to xp..." we actually have a few 2k/O2K boxes kicking around here I hate 'em ...but I still got 'em, most are now XP/O2K03.

    A year ago almost 50% of OS were w2k http://www.theregister.com/2005/06/1...ws2000_nicely/

    While that will have change some... I'd bet it's still over 30%

    If you're talking stucturally obsolete... from a support, security and maintenance POV, no question but still widely used... I'm glad i've got an IPS helping protect even these old systems from this sort of attack.

    btw mprice... MS bashing, saying that they suck and their code sucks is so 2001. They have made very large strides in cleaning up their house. Are they perfect ...not a chance but being the elephant on the block makes them an easy target and you can bet if there is one error in a million lines of code...someone will find it. (or 25 errors...or whatever) just so they can say I fecked over MS... or so they can steal someone personal info... and with organized crime now heavily into identity theft and fraud, some very bad, but very smart people are out there creating malware.

    Just so you don't think I'm an MS cheerleader, I do think the problem with most Ms Apps is that they write giant apps that do things 95% of user don't even understand. Massive functionality = high potential for coding errors. But then you can't really keep inducing people to buy Notepad 2007 Now With Fonts! That being said some of their apps are damn good.

    I'm pretty sure that the reason we've seen Vista delayed so much is almost entirely due to security. They've really staked the entire future of MS on getting this one right by making the commitments to security they have. Are they going to be able to do it? probably not at first..http://www.theregister.com/2006/07/1...rity_analysis/ I look forward to using Vista after it's been compromised for a year or so...

    Open Source is not immune (I've had Firefox updated with 6 major updates since the release of 1.5 late last year)

    Finally rushing patches out is not a great idea when you've a user base of a gazillion people relying on you to do it right. (check out the Intel wireless driver security patch problems http://www.antionline.com/showthread...hreadid=276148)

    In an MS world and most of us are whether we like it or not, best we can do is keep patched, run an IPS, AV, a good firewall, stay informed and educate your users.


    Patches and vulns are a fact of life which is why I'm on the IPS bandwagon...

    http://www.securityfocus.com/infocus/1670
    http://www.nss.co.uk/WhitePapers/int...on_systems.htm

    zero days don't worry me (as much as they used to anyways)
    I used to be With IT. But then they changed what IT was. Now what I'm with isn't IT, and what's IT seems scary and weird." - Abe Simpson

  6. #6
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,188
    Hmmmm,

    I know of lots of shops out there who are "thinkin about upgrading to xp..."
    Well I don't know of any, and I don't believe that there are in the UK, even though that article is from The Register. The decision has already been made to stick with Windows 2000 until Vista comes out, and to skip XP entirely.

    Where I am, the local government, hospitals, colleges, schools and a lot of businesses are running 2000/2000, or 2000/2002. Hell, I even know quite a few outfits using Office 97 The attitude is "if it ain't broke: don't fix it"

    It took a long time for people to transition from NT 4.0 so this is just a way of thinking amongst corporations and institutions here. I think that we don't go into technology for the hell of it, and beancounters are very much in charge. Obviously the business sector has an influence on this, as the whole thing is budget driven.

    My comment on effective obsolescence refers to the fact that office 2000 is now 2 releases out of date, and with Vista Win2000 will be the same. I am actually somewhat surprised that anyone has bothered with an exploit for them, particularly given that neither had any great penetration into the home user market, at least over here. A more common combination would be WinXP/Office XP on newer machines and 9x/ME with Office 97 on older ones.


  7. #7
    Dissident 4dm1n brokencrow's Avatar
    Join Date
    Feb 2004
    Location
    Shawnee country
    Posts
    1,243
    The decision has already been made to stick with Windows 2000 until Vista comes out, and to skip XP entirely.
    That kind of decision varies widely among organizations. I'm in the middle of an XP rollout, 250 brand-new, leased Dells, replete with Office, what?, 2003, 2004 (what's Office up to now?). And we're replacing beaucoup W2K boxes (one half leased Dells, the other Compaq and HP boxes the hospital owns). I'm just one of the peons, so I'm not privy to the decision-making, but if I had to make a guess, they got a deal from Dell. At this juncture in the life of Windows XP, there's going to be some deals to be had.

    Money more than anything drives IT decisions. From what I've seen at this hospital (one of many that rhymes with "whiners"), common-sense is a distant second.
    “Everybody is ignorant, only on different subjects.” — Will Rogers

  8. #8
    Senior Member
    Join Date
    Jan 2002
    Posts
    682
    I know of lots of shops out there who are "thinkin about upgrading to xp..."
    that was more of a comment on the slow rate of change in a lot of shops...however i don't know (in my little world) of any who are going to jump straight to vista...from 2k OR xp...too many unknowns... vista Sp1...ya maybe

    I'm sure dell will be offering xp for at least a year after vista is released (if ms lets em) and that's where I'll be placing my bucks...I like mature OS's. At this point XP is mature...2k is probably a bit senile
    I used to be With IT. But then they changed what IT was. Now what I'm with isn't IT, and what's IT seems scary and weird." - Abe Simpson

  9. #9
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,188
    Money more than anything drives IT decisions. From what I've seen at this hospital (one of many that rhymes with "whiners"), common-sense is a distant second.
    Very true!.................mostly I have mentioned "public sector" as opposed to "private sector" organisations. In the UK, most healthcare and education is State funded. In the finance, leisure, and hi-tech sectors development would tend to go with what was available, after allowing a "period of grace" to ensure stability.

    Other sectors such as manufacturing, distribution, retail and agriculture do not have the profit margins, and IT is generally at the bottom of the food chain when it comes to budget allocations.

    Another factor over here is our tax laws, particularly those governing amortisation, and the way our corporations are financially structured. Although we do have stocks and bonds, most of them are controlled by ordinary shares which provided the bulk of their initial finance. These are variable income, via "dividends" based on net profit, and, as they have voting rights, confer control of the company. That makes the directors totally "bottom line driven".....................I have seen an IT project deliberately put on hold purely to "massage" the year end results. That would have increased the cost by at least $1.5 million in the long run

    There was a relatively slow take up of Windows 2000 in some sectors. This explains the Win2000/Office 2002 (XP) combination that I mentioned. Not that hard a decision, as Office 2000 was not one of Microsoft's best efforts IMO.

    My prediction for Vista at the moment is that we will probably see SP1 around September/October 2007, which is when the people I am talking about are looking to make their move.


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •