Microsoft Warns That Word Docs Are Ticking Timebombs

[Mysterious Benefactor]

Microsoft has issued a zero-day attack alert for its ubiquitous Word application. The unpatched flaw can be exploited when a user simply opens a maliciously rigged Word document, and there are no pre-patch workarounds available, Microsoft warns. Microsoft says DON'T OPEN OR SAVE WORD DOCS, EVEN FROM TRUSTED SOURCES.

[Josette]

Huh?!!!  Does that mean everyone should just stop using Word?  When is zero-day?

Fortunately, I use WordPerfect, but I do have to convert things to Word at times and sometimes receive things in it.

[Mysterious Benefactor]

Zero-day doesn't actually refer to a specific date for everyone. A zero-day attack is a virus, trojan, worm, etc. that takes advantage of a newly discovered flaw/hole in a program or operating system before the software developer (Microsoft in this case) has made a fix available - or before they're even aware the hole exists. The "zero-day" is the day someone opens a virus-infected e-mail attachment (or gets hit by a drive-by download (a Web site that downloads a virus, trojan, worm, etc. just by visiting it)) because the antivirus or antispyware software they've diligently kept up to date knows nothing of the brand-new attacks. 

As for Word, there's probaly absolutely nothing to worry about if someone simply uses it for their own personal use. The problems should only arise if/when someone opens an infected Word .doc file that they've received via e-mail or by downloading it from a Web site...

[BuzzH]

Microsoft has issued a zero-day attack alert for its ubiquitous Word application. The unpatched flaw can be exploited when a user simply opens a maliciously rigged Word document, and there are no pre-patch workarounds available, Microsoft warns.

Checked w/my IT department this morning and they say this is not true!  It's an urban legend folks.  

[MsCriseyde]

Checked w/my IT department this morning and they say this is not true!  It's an urban legend folks.  

MB is always very careful to post security information from reliable sources. If he puts it on the forum, you can trust it's true.

Here's the Microsoft Security Advisory. Here's the entry about it on the Symantec Security Response Weblog -- brought to you by the fine folks who make Symantec/Norton antivirus software. It's a little scary that your IT folks are unaware of the situation. Most of them monitor Microsoft security advisories fairly closely.

Bottom line, and this should always be the case: Don't open attachments from people you don't know. Don't open attachments from people you do know if you weren't expecting the file.

[BuzzH]

MB is always very careful to post security information from reliable sources. If he puts it on the forum, you can trust it's true.
 -- brought to you by the fine folks who make Symantec/Norton antivirus software. It's a little scary that your IT folks are unaware of the situation. Most of them monitor Microsoft security advisories fairly closely.

They're not unaware of the problem, never said they were!  They just say it's nothing to worry about, see below from them:

I wouldn't worry about it. This is "same old". A patch will be released through critical updates very shortly. I thought you were latching onto some kind of doomsday thing. This type of thing comes out all the time. You have to be really interactive for this exploit to work. It can't work just by opening the document. You have to click on a link in the document:

¢â‚¬¢ In a Web-based attack scenario, an attacker would have to host a Web site that contains a Word file that is used to attempt to exploit this vulnerability. In addition, compromised Web sites and Web sites that accept or host user-provided content could contain specially crafted content that could exploit this vulnerability. An attacker would have no way to force users to visit a malicious Web site. Instead, an attacker would have to persuade them to visit the Web site, typically by getting them to click a link that takes them to the attacker's site.

¢â‚¬¢ The vulnerability cannot be exploited automatically through e-mail. For an attack to be successful a user must open an attachment that is sent in an e-mail message.

With all due respect to MB, I'm gonna trust my IT guy on this.   

[Mark Rainey]

The impact is not trivial for writers and editors who use MS Word -- which is most of the publishing business. I haven't printed out a manuscript in years; virtually every story or novel I send to a publisher is an MS Word file, via email. So when an advisory such as this one comes out, it's something to take seriously. The information I've seen does indicate that just opening an file would be sufficient to execute the malware -- not clicking on a link within a file. That's why the  Office Document Open Confirmation Tool for Office 2000 is considered a "minor intermediary measure" -- because it prevents a Word file from opening on the first activation -- it requires a confirmation from the user.

Still, unless you actively send and receive MS Word files to and from other users, your risk is negligible. It's not something to panic about -- but it's also something to take very seriously if you send Word files back and forth to other users, as I do.

[Mysterious Benefactor]

With all due respect to MB, I'm gonna trust my IT guy on this.   

Actually, the wording that Word docs are "ticking timebombs" is Microsoft's own wording - it's not fear mongering, or an irrational warning on the part of some reactionary party outside of Microsoft to a trivial situation, or an urban legend. And what your IT department said, what I said, what the publication eWEEK (which published the article that I linked to and which is one of the leading and most respected publications in the IT industry) said, and what Microsoft itself has said is all the same thing. However, that doesn't lessen the very real fact that some people WILL indeed click those links in e-mailed Word docs and they WILL indeed visit those malicious Web sites. Sadly, that's an absolute fact because that's exactly how viruses, trojans, worms etc. become epidemic.

I merely post these notices to alert the forum's members and guests to very real potential dangers. Most will probably already know enough not to do what's being warned against - but some may not...

[Nancy]

Yes, both IT departments affiliated with where I teach and also the place where I work evenings forwarded the email from Microsoft about this.  I saw on McAfee's website that Microsoft plans on releasing 6 patches on December 12th to deal with this latest vunerability.  Those IT people will never be out of work, won't they?  It' always something.  Thanks for the heads up, MB.  I read it first here and then read my work email for the same warning from the IT guys and Microsoft!  You rock!

Nancy

Zero-day doesn't actually refer to a specific date for everyone. A zero-day attack is a virus, trojan, worm, etc. that takes advantage of a newly discovered flaw/hole in a program or operating system before the software developer (Microsoft in this case) has made a fix available - or before they're even aware the hole exists. The "zero-day" is the day someone opens a virus-infected e-mail attachment (or gets hit by a drive-by download (a Web site that downloads a virus, trojan, worm, etc. just by visiting it)) because the antivirus or antispyware software they've diligently kept up to date knows nothing of the brand-new attacks. 

As for Word, there's probaly absolutely nothing to worry about if someone simply uses it for their own personal use. The problems should only arise if/when someone opens an infected Word .doc file that they've received via e-mail or by downloading it from a Web site...

[Nancy]

Why would Microsoft itself say it was indeed a problem and releasing patches to address it on December 12th if it was an "urban legend"?

Nancy

Checked w/my IT department this morning and they say this is not true!  It's an urban legend folks.  

[Nancy]

I saw that Microsoft did indeed release the promised patches to this new vunerability on 12/12.

Nancy

[Mysterious Benefactor]

And one might expect that to be the final solution. But, oh, how wrong one would be! Check out the latest:

Double Trouble: MS Confirms Another Word Zero-Day Flaw!!