
Microsoft Word 2003, 2007, 2010, 2013
See Icon ->
Microsoft has warned its Word software is vulnerable to a newly discovered dangerous bug – which is being exploited right now in "limited, targeted attacks" in the wild. There is no patch available at this time. The flaw is triggered by opening a maliciously crafted RTF document in the Microsoft Office word processor, or …
ElReg writes:
Microsoft Word 2003, 2007, 2010, 2013, and Office for Mac 2011 are vulnerable, according to Redmond. Microsoft Office Web Apps, Automation Services on SharePoint Server 2010 and 20103, and Outlook 2007, 2010 and 2013 when using Word as the email viewer, are also affected.
Legacy code or what!
Their latest Web Apps replicate a bug of Word 2003???
Code review any one?
Having a ridiculous bug like that, spread over a decade of versions is one thing..
But it's been known by Microsoft since the end of January. It's now almost the end of March, and there's still no patch for a remote code execution vulnerability, that's potentially in the wild??
If you ever wanted a reason to use open-source then this is it!
"all new versions have been mostly cosmetic changes"
That is a bit of a stretch. RTF was never the main document format for MSWord. http://en.wikipedia.org/wiki/Rich_Text_Format shows some changes to the RTF format over the years, but I don't necessarily see why you feel they should rewrite all of their code with every release. (Wouldn't that make it harder to ensure compatibility with previous versions -- something MSOffice users do have an interest in keeping?)
Problem is... people don't know their arse to their Microsoft Word document most of the time in the home or office-scape. Especially when Word (AFAIK) conceals each document under the same icon. You'd need to understand what a file extension is to avoid opening a malicious document.
Even worse, someone could easily send a mass *.doc/*.docx and disguise an RTF underneath as the later versions will auto detect the format?
Oh oh.
I wouldn't except
The whole point of the Vista and Windows 7 rewrites according to MS was that they were re-writing the code from the ground up to make it secure. And with that commenced the directive of making security Job #1. Which to me implies checking the code with all your security tools at each release. As an earlier poster noted, the absence of Word 97 or earlier versions doesn't mean the bug doesn't exist in them, only that MS haven't arsed themselves to test them. So it could be a 20+ year old bug, but it is confirmed to be at least a 13 year old bug.
"The whole point of the Vista and Windows 7 rewrites according to MS was that they were re-writing the code from the ground up to make it secure. And with that commenced the directive of making security Job #1."
MAKE HIM STOP!!!
I ABOUT PISSED MYSELF LAUGHING....
Oh, better now.
People are still using Microsoft products?
"Mainstream" support for Office 2003 ended back in 2009 - and "extended" support for it ends early next month. I wonder how many installations of this won't get patched, particularly if this issue doesn't get patched by next month's cut-off? 2007 is out of "mainstream" support too, and I'm sure it's far from extinct out there - and probably far from currently patched...
Office 2004 for Mac no longer runs under 10.7 after the upgrade from 10.6. Libre Office is now useable even if it does still take far too long to load, so no point in paying for the upgrade.
I have warned the rest of the family wife uses PC's and kids might well run various versions at home and at work.
Oh and I'm reminded why I never liked Outlook so never more than glanced at it, let alone set it up. Thunderbird does just fine and dandy.
"Recycled code - bad"
Code re-use is pretty standard practice, actually. No-one is going to re-write every part of a very large software project each time an iterative version is released, especially the legacy parts. If you did that you'd (a) never release a new version and (b) introduce more bugs with each version than you would otherwise.
>>"But 10+ year old code is dragging it out a bit. At least review it, especially since it loads external data."
By that logic parts of the PATA modules in my Linux kernel should be re-written with every iteration of GNU/Linux. It loads external data and its over ten years old. Point is that the OP I replied to said re-using code was bad. That's crap and every experienced software engineer on a medium large project knows how unfeasible and counter-productive it would be to re-write everything especially legacy parts, just because a new version was coming out.
OP made an ignorant comment that code should not be re-used from one version of an Operating System to the next. You lose all credibility taking issue with me correcting the OP.
"That's crap and every experienced software engineer on a medium large project knows how unfeasible and counter-productive it would be to re-write everything especially legacy parts, just because a new version was coming out."
I don't think it's been suggested to re-write all code for every iteration. (Why do you people bicker back with edge cases and extreme counter-arguments?)
I have written code, and it's been running for years. It doesn't get touched, it does what it's supposed to do. I've also written shitty code where I feel sorry for the next person to maintain. I've also been on the receiving end of shit code.
But don't you do code reviews, especially on code that already had similar issues? Or are you the type to leave code well alone once it's proven to work?
When you have code in high-risk areas, running on the vast majority of desktops over the world, and you're getting an obscene amount of money for it - it's more of a case of responsibility.
I'd love to know if a code analysis tool would have picked this bug up, or if a second glance at the function would spot something... but I guess we'll never know.
>>"I don't think it's been suggested to re-write all code for every iteration. "
OP wrote "Code re-cycling is bad". Other than an accompanying sentence saying that "plastic recycling is good", that was the sum total of their post. I responded pointing out that code re-use is standard practice and attempting to re-write everything would introduce more bugs.
Then you argued with me.
>> PATA modules in my Linux kernel should be re-written with every iteration of GNU/Linux
A pathetic example! That code (and any updates to it) can be reviewed by anyone, and it's not dealing with data directly from the Internet - ie, in emails.
Old code should be reviewed, every so often. The security landscape has changed a lot in the past decade.
"OP made an ignorant comment that code should not be re-used from one version of an Operating System to the next. You lose all credibility taking issue with me correcting the OP."
Sorry, I was just trying to add something to the discussion regarding reviewing old code... I'm not here to gain credibility, or score points.
Good code is good code, no matter how old it is. The term "bit rot" was debunked a long time ago. The trouble is that good code isn't that easy to come by.
Or if you prefer, there's the old adage that I recall from my programming days - there's no such thing as a finished product; just one that's in a high state of debug. :)
"The term "bit rot" was debunked a long time ago".
I think you'll find that "bit rot" was humorous shorthand for the well-known problems that arise when an originally crisp, efficient system is gradually patched and "enhanced" year after year. It's the programmer's version of what Verity Stob calls "cruft" from the end-user POV.
I don't think it is a bug - more of an oversight.
The root of the issue seems to be the time when Ms thought that t'internet would be a great way to do systems management on Windows PCs remotely and all that IE6 development stuff that so many organisations and (ActiveX?) are still snagged into?
RTF is a Microsoft format created by Microsoft, for Microsoft. I believe it was introduced at some point between the Mac and DOS versions to allow them to actually exchange files as the .doc format was (surprise surprise) a bastardised binary stream mess that was changed as regularly as possible and in insane ways to ensure that competing packages couldn't use .doc files properly (and when they make a mess of them, they get the blame).
Back in the early '80s IBM had a very brief leadership of PC word processing with DisplayWrite before being eclipsed by WordStar (ported from CP/M), WordPerfect (ported from Wang), MS Word (ported from Xenix). DisplayWrite was developed in a PC emulator running on MVS... was slow, memory intensive with a blockey UI, and larger files due to RTF, which was text based for transfer to/from S/370,S/36,S/38 versions which used EBCDIC instead of ASCII. RTF support in WordPerfect & Word started out as IBM compatibility.
For Microsoft RTF was a surprise saviour because it was the only way to share files between Word for DOS and MacWord which had incompatible.DOC formats due to big/little endian differences between 8086 & 68000.
IBM lost interest in RTF, because it had a better idea with GML (which it standardised & some contractor @CERN copied for his web-thing).
MS wrote-up the spec because mail-merge used to be a separate program, and is still used in document generators.
WTF does a document format have to have executable capability?
Has anyone suggested that it does, or that this is where the problem lies? Most bugs like this work by corrupting the code of the tool that is processing them, for example by overflowing internal buffers with data whose length is incorrectly declared. The file just contains data which happens to mean something to the CPU, it's the buggy utility that is tricked into executing it.
... and el Reg appear to be using a script to generate headlines about Windows vulnerabilities.
I'm tolerant. I can deal with the fact that this might not have been spotted in the mound of code-upon-code that probably underpins Word by now (I know all to well that greenfields projects just don't happen).
... but to have known about something this serious for over a month and not done anything? Poor show.
This vulnerability by itself does not allow you to "own" a machine. This allows for arbitrary code execution inside user space, which can't by itself "own" a machine unless combined with a privilege escalation. Which is not very difficult these days with grandma saying "Yes" to annoying prompt dialogs.
But the vulnerability by itself does not allow you to own a PC.
No they don't "own" the machine without further steps (privilege escalation exploit or social engineering to get admin password). The can however access all your data, log web browsing and keystrokes so that they can get at your bank account (e.g. install browser plugin that performs MITM attack while you login).
Brilliant example of "security expert" speak. Privilege escalation kits different from popping up a dialog asking for admin rights are NOT "a dime a dozen" In fact, if you have lots of them there is a very profitable market where you'll be handsomely paid, so you should be right now making yourself rich instead of trolling forums. Which you are not.
Plus, if they were "a dime a dozen" MS would be at least issuing patches for some of them.
Go to scare crowds elsewhere.
I produce control systems for a living. I have systems all over the world so support costs me money. I spend far more time on testing than polishing the UI's. My customers appreciate it and I get less support calls.
Microsoft are too worried about their image and ratings to care about the bugs they regularly ship to us. Imagine a programmer saying to the pre-release team "I have found an obscure bug". With the press briefed and the glossy advertising booked there would be no stopping the release. It would then be forgotten.
We, the customers, are Microsoft's largest debug team. And we don't' even get a discount!
Even the purchase of Nokia shows poor thinking. The deal is not yet done and Nokia announce a phone that runs Android! Go figure.
"We, the customers, are Microsoft's largest debug team. And we don't' even get a discount!"
I couldn't agree more. The thing of it is, Microsoft has just followed the rules of the legal and economic system with which it has to comply. Precisely because its products have such large user bases, the great majority have no idea of security or decent quality. Rather, they are swayed by shiny UI features.
If we want better behaviour from vendors, we need to adjust the legal and economic system. While we're at it, we could perhaps do something to prevent banksters from making fortunes with no downside and at no risk to themselves, by exploiting laws that they paid for (and in most cases, actually wrote themselves because the politicians don't begin to understand such a difficult subject).
Or, if you want to live in a blue sky ivory castle and dream dreams, we could improve our educational system so that, as today's young people become adults, they will no longer be susceptible to such trickery. But now I'm raving - it could never happen.
This is the fundamental problem with all software: it's released half finished!
The next time I'm installing ANOTHER Windows patch, update for an Adobe product, or Java, instead of the bullshit about how many machines it runs on, just for once I'd like to see an APOLOGY for the fact that I'm only having to install this update because they screwed up and left a security hole in their product that may just cost someone their bank contents.
Spot on, but I would also like to see an end to those doubly annoying "re-agreement to the license" windows.
Nothing makes me madder than to have Adobe yell at me to update this or that plugin, then confront me with a window full of Lawyer Gibberish and force me to check the box to activate the button that I must click to get on with what *they* were begging me to do only five minute before.
This is the fundamental problem with all software: it's released half finished!Indeed. Half of all half-finished software is secure underneath but takes a conscious effort of will to learn how to use. The other half of all half-finished software is easy to use, even easier to use badly -- and thoroughly insecure underneath.
Reading the MS stuff on this (via the article link) I'm left wondering why MS didn't just release this as a Windows security update. Certainly it seems to add some rather useful security features that by implication MS have deliberately omitted from: XP, Vista, 7, 8 & 8.1 !!!!
I know we are all making fun of MS here for having a bug in RTF rendering since Office 2003.
It is a cautionary reminder that user-entered data needs to be assessed very carefully before processing. The MS team that let this slip didn't exactly cover themselves with glory, but 700 monkeys poking 700 sticks at 700 apps will occasionally hit paydirt.
The Office vulnerability is NOT what is scary and in addition, the important bits are NOT being reported here and they are not reported in the CVE either.
What operating systems are at risk? From the lack of forthcoming information from MS I would guess even Windows 7 and 8 would be.
Why is it that a regrettable, but not entirely unexpected condition in a bit of non-system software, in this case rendering an RTF, manages to get a user to own a modern operating system?
I am betting that, if Open Office had a similar bug, it could not infect Windows itself because the system would not be tightly coupled to it and would have a suitably hands off relationship. Why does MS insist on allowing tight integration between its user apps and the OS? For performance reasons on multi-core systems?
Why isn't UAC more robust? Linux and even Mac users can apparently deal with the boundless complexities of sudo and admin user approval (and password) prompts, so why doesn't MS get off its fat rear end and implement appropriate isolation between userland and system integrity?
No, all this would not prevent clueless users from happily providing their credentials when offered riches from Nigerian princes or offered a free AV scan. But it would protect the other 95% of us.
And, yes, I include myself because I have to use Windows for work but know better for personal use.
p.s. Windows 8 security in 2014? password limited to 16 chars. Good job, MS! Horse Battery Staples not included.