|
-
May 21st, 2006, 06:10 PM
#11
I probably am. And if not for God's grace, I would be a lot worse  Still, I think you should take my advice.
For the wages of sin is death, but the free gift of God is eternal life in Christ Jesus our Lord.
(Romans 6:23, WEB)
-
May 21st, 2006, 06:13 PM
#12
Well I am glad that I do not phase you preacher. Perhaps when you post advice you should be a little less nice because it really does make you look self-righeous. ^_^
-
May 22nd, 2006, 03:44 PM
#13
I often find that those who use the term "self righteous" are in themselves self worshipping. Viewing their actions as holy and wholesome in their own introvertional congregation of piety.
West of House
You are standing in an open field west of a white house, with a boarded front door.
There is a small mailbox here.
-
May 22nd, 2006, 05:57 PM
#14
Ok to get this thread back on topic, I've got a question...
How have you folks in the IT arena responded to this threat?
Have you stopped allowing Word docs in via Internet email?
What if anything have you adjusted?
Unfortunately my users are admins on their respective desktops/laptops so I've had to block Word docs from coming into our environment via Internet email. Making many people  as you can imagine.
Curious about your response to this.
-
May 22nd, 2006, 08:40 PM
#15
How have you folks in the IT arena responded to this threat?
Have you stopped allowing Word docs in via Internet email?
What if anything have you adjusted?
One example response... Mcafee DAT 4766 detects the exploit. Quick report of the enterprise compliance level shows most clients with DAT 4667, those that did not show at least 4766 were force updated. In addition the gateway can detect the exploit through Group Shield and on the educational front users were "warned" about doc files coming in. I also did a quick scan of the information store and there were no detections. Since there were no detections blocking .doc attachments would have a serious impact on operations that wouldn't weigh with the actual threat. So with these other tools in place I will not block doc attachments at this time and will watch closely for variants. If I did choose to block them I would have someone monitor files that are getting blocked. Also if there wasn't a valid need to have .doc files coming in I would have blocked them by now.
West of House
You are standing in an open field west of a white house, with a boarded front door.
There is a small mailbox here.
-
May 22nd, 2006, 09:15 PM
#16
I noticed the article only mentioned office 200. But it makes me wonder if you could preform the same exploit in office 2003. Taking it a step further, if you could exploit the feature rich setting that allows user to use Word 2k3 for all message creation in Outlook.
-
May 23rd, 2006, 02:41 AM
#17
Hi RC:
Thanks for response. I just removed the filters because, like you did, our McAfee DATs detect the exploit and our PCs are up-to-date, and there doesnt seem to be much 'chatter' about other victims or wide spread attacks. We just needed to quarantine things until all clients were updated.
So we'll be monitoring the situation closely.
-
May 23rd, 2006, 03:42 PM
#18
For anyone who is not receiving Microsoft's Security update newletter
********************************************************************
Title: Microsoft Security Advisory Notification
Issued: May 22, 2006
********************************************************************
Security Advisories Updated or Released Today
==============================================
* Microsoft Security Advisory (919637)
- Title: Vulnerability in Word Could Allow Remote
Code Execution
- http://www.microsoft.com/technet/sec...ry/919637.mspx
- Revision Note: Advisory Published: May 22, 2006
Read it for yourself but here is the over view from technet
Microsoft is investigating new public reports of limited “zero-day” attacks using a vulnerability in Microsoft Word XP and Microsoft Word 2003. In order for this attack to be carried out, a user must first open a malicious Word document attached to an e-mail or otherwise provided to them by an attacker. Microsoft will continue to investigate the public reports to help provide additional guidance for customers as necessary.
Microsoft is completing development of a security update for Microsoft Word that addresses this vulnerability. The security update is now being finalized through testing to ensure quality and application compatibility and is on schedule to be released as part of the June security updates on June 13, 2006, or sooner as warranted.
Microsoft is concerned that this new report of a vulnerability in Word was not disclosed responsibly, potentially putting computer users at risk. We continue to encourage responsible disclosure of vulnerabilities. We believe the commonly accepted practice of reporting vulnerabilities directly to a vendor serves everyone's best interests. This practice helps to ensure that customers receive comprehensive, high-quality updates for security vulnerabilities without exposure to malicious attackers while the update is being developed.
-
May 23rd, 2006, 07:08 PM
#19
Most of the larger A/V firms (Symantec, McAfee, Trend, Kaspersky...etc) already have signatures in place to catch/block the malicious files.
A contributor of Securiteam's website wrote the following as an interesting layered approach to prevent infection via applying a Software Restriction Policy:
Windows XP users have a little-used weapon that they can use to blunt the effect of the in-the-wild malicious code targeting this vulnerability: software restriction policies. By using the “Basic User” SRP, users can launch Microsoft Word without the ability to write to certain registry and file system locations that the in-the-wild malware requires access to. This is a stop-gap measure based on the threat profile of the in-the-wild malware at this time and is only necessary if you’re still running interactively as an administrator. If you are, it should be a priority to change that if at all possible.
I’ve produced a simple registry script that sets a Software Restriction Policy that runs any instance of ‘winword.exe’ with the ‘Basic User’ policy. Once the registry script has been imported, the SRP can be rolled back (if desired) via the Security Policy snap-in.
The full article can be found here
He also offers a link to the registry script that will modify the Security Policy.
*just an update, might as well share some of this info with the rest of you*
If you are running any of the following hardware firewalls that include A/V services, you should be protected: Checkpoint, Fortinet, CiscoASA, Aladdin Esafe
Couldn't get ahold of anyone at Watchguard or Sonicwall to find out if their A/V sigs protect against this vuln or not and their site did not provide anything useful....especially sonicwalls - last virus update notification was oct 05 *winces*
%42%75%75%75%75%72%70%21%00
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|
Reply With Quote
