An interesting computer exploit through Microsoft Word and RTF documents

[thewayne]

RTF was a standardized document format almost before Word existed, it was developed by the U.S. Navy as a way to give vendors a standard to code for to ensure the ability for documents to move between computers. It has the advantage of the document being pure text with internal formatting codes.

Well, trust Microsoft to screw it up. Their implementation allowed malicious code to be imbedded so that attackers could gain system access equal to the that of the poor sap who opened the document. If said poor sap was a system administrator, guess what.... Even if they aren't an admin, the malware could phone home and pull down exploit packages that might let them escalate privileges to gain admin access.

One technique would be to ban all RTF file extensions, but it is a valid extension and Word knows to look at the header codes rather than rely on the file extension to determine how to read the doc, so that wouldn't work.

Fortunately the problem doesn't seem to affect any other word processing programs except Microsoft Word.

http://it.slashdot.org/story/14/03/25/0156203/microsoft-word-zero-day-used-in-targeted-attacks


In an ideal environment in the Real World, those who have the need to be system administrators should not run the workstation that they use for day-to-day work at their admin account level. The best way, IMO, is give them dual big monitors and have a virtual machine that they can start up and sign on with their admin account, said machine does not have Microsoft Office or anything else not directly related to administering the network. If they can pull it off, the admin account should not even have internet access.

Comments

[silveradept]

Great Maker. Leave it to Microsoft.

It does seem like a smart idea for admin to not have any outside-the-network access, though. Even if caught by malware, the account couldn't phone home or do things immediately. More time for a defense to work, I suppose.

[thewayne.livejournal.com]

Apparently the hack came through how M$ implemented OLE, so it was purely within their implementation of Word and the OS.

At the police department in the '90s, we had two physical PCs and a KVM to switch our keyboard and monitor between them. After I left they added fingerprint scanners, I'm not certain if they are used to augment or totally replace the signon. At my last job, we had dual monitor setups and ran VMs in a dedicated window. If you need to download non-OS patches for servers, you do it on your non-admin PC and copy it to the server (if you're only updating one) or a network share (for updating many). You go ahead and use the server's OS updater for OS patches, and that seemed pretty safe.

In today's world where you have a couple of monster boxes with lots of blades and all your servers are virtual, I'm not sure how much that's changed the basic process.

[thewayne.livejournal.com]

Myself, I always thought the first/best line of defense was not to use Internet Exploder and Outlook. Apparently, at least as an option (though it is the default) they still have the full install of Word (if you installed Office) to preview emails in Outlook, so you have a direct conduit for exploits.

[silveradept]

That would be a good way, if people weren't so...enamored? of the default that is right there and apparently Just Works and all that security stuff is just too hard for them to process.