Preventing MSWord Exploits

Discussion in 'other security issues & news' started by Rmus, Dec 19, 2006.

Thread Status:
Not open for further replies.
  1. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    We are now up to three known MSWord exploits. See:

    https://www.wilderssecurity.com/showthread.php?t=156955

    This is a bit disheartening for those of us who regularly use word documents from other people.

    However, a PoC Code Disclosure and test file have been released which allows you to test your setup and configure for safe running of MSWord documents:

    eeye zero day tracker

    (link at the bottom of the article to the test file)

    Some suggestions.

    BROWSER OPTIONS

    In your Browser Download settings, you can associate an application with a MIME type. Here, I show WordViewer for msword:

    http://www.urs2.net/rsj/computing/tests/wordxplt/operapref_1.gif
    ________________________________________________________________

    http://www.urs2.net/rsj/computing/tests/wordxplt/operapref_wordview.gif

    However the POC shows how the exploit now crashes WordViewer:

    http://www.urs2.net/rsj/computing/tests/wordxplt/opera_wordviewer.gif


    Associating .doc with a text editor would prevent the exploit code from executing:

    http://www.urs2.net/rsj/computing/tests/wordxplt/opera_cwordpad.gif


    Using the browser to open .doc also avoids the problem:

    http://www.urs2.net/rsj/computing/tests/wordxplt/operapref_opera.gif
    ________________________________________________________________

    http://www.urs2.net/rsj/computing/tests/wordxplt/opera_opera.gif

    Another option is to prompt for action - useful for those who download msword documents regularly:

    http://www.urs2.net/rsj/computing/tests/wordxplt/operapref_download.gif
    ________________________________________________________________

    http://www.urs2.net/rsj/computing/tests/wordxplt/opera_download.gif

    EMAIL OPTIONS

    Like with the Broswer, you can associate an application with a MIME type:

    http://www.urs2.net/rsj/computing/tests/wordxplt/agentpref_1.gif

    Here, it is associated with a text editor and displays that icon:

    http://www.urs2.net/rsj/computing/tests/wordxplt/agent_attachcwp.gif


    To avoid accidental launching, the email program will display a prompt for action box if the attachment is double-clicked:

    http://www.urs2.net/rsj/computing/tests/wordxplt/agent_attachprompt.gif


    And then you can open:

    http://www.urs2.net/rsj/computing/tests/wordxplt/agent_cwp.gif


    For those of us who deal daily with Word documents from other people,
    it's not necessary to avoid using them if precautions are taken. Examples:

    1) All email attachments should be expected or verified from the sender.

    2) Use an older version of MSWord, or a text editor to open the documents.


    regards,

    -rich



    ________________________________________________________________
    "Talking About Security Can Lead To Anxiety, Panic, And Dread...
    Or Cool Assessments, Common Sense And Practical Planning..."
    --Bruce Schneier​
     
  2. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    very good advice :thumb:
     
  3. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,026
    Location:
    The Netherlands
    About the PoC (the Word Document), what is it supposed to do? Also, you might be able to stop exploits by sandboxing Office, I guess. :rolleyes:
     
  4. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    The POC document proves that code can crash the Office applications listed in the advisory. If you download it and attempt to open it in those applications, they will crash. Naturally, the code could be changed to do worse things than that.

    The most common ways of getting word documents from other sources are via email and the the internet, and I showed some ways of dealing with it.

    Another means of delivery is by external media: USB or CD. Attempting to open the document from CD using Word 2000 causes it to crash:

    http://www.urs2.net/rsj/computing/tests/wordxplt/word2000xplt.gif

    But an older version of Word (Word95) is not vulnerable:

    http://www.urs2.net/rsj/computing/tests/wordxplt/word95xplt.gif

    _______________________________________________________________

    Can you test and post your results?

    regards,

    -rich


    ________________________________________________________________
    "Talking About Security Can Lead To Anxiety, Panic, And Dread...
    Or Cool Assessments, Common Sense And Practical Planning..."
    --Bruce Schneier​
     
  5. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,026
    Location:
    The Netherlands
    Actually I can´t, I do use Sandboxie but it can´t automaticly sandbox MS Office, I believe. But perhaps other tools like BufferZone and DefenseWall can? ;)
     
Loading...
Thread Status:
Not open for further replies.