How Microsoft’s Word flaw affect users
Posted on Monday, June 16, 2008 at 5:49 pmThis is a topic which I did a researched on during my Bachelor IT Programme titled “Microsoft security team probing new Word flaw” We will look into past history on what happen and what had been done.
The What
Ever since Microsoft Office 2000 were released, service packs and patches were release solely for Microsoft Office. You may wonder why Microsoft releases these patches, when Office can still function properly. Bugs and flaws were constantly discovered by programmers, security researchers and white/black hat hackers.
The Why
In Microsoft Office, the Word program flaw exists because Word has many functions that may contain bugs in them. This results in buffer/memory overflow that are exploitable. It also coexists with other programs, using libraries like visual basic apps, macros, or Internet Explorer.
There are also many versions of Microsoft Office (2000, XP, 2003, 2007), and many service packs for each version. The later versions of Microsoft Word may be built based on the previous version, so if a flaw is discovered, it affects the rest of the versions.
The How
The flaw can only work if all the above conditions are met. Firstly, the user must open the specially crafted document with a vulnerable or unpatched versions of Microsoft Office 2000, XP or 2003, as the flaw only works on certain versions of Office. Currently, all versions of Office 2007 are unaffected.
Next, the exploit works only if the user, with admin rights, opens the infected document. (Opening the document can be done by saving it on your local harddrive, or simply clicking Open when the pop up comes.)
Admin rights are needed in order to run the payload, which requires system level permissions. Lastly, the PC has to be connected to the internet while the document downloads the payload using Microsoft Word and execute it.
Once the exploit is successful, the payload will be executed. (The term payload, as defined by hackers, is a program or function that is executed after exploitation. The most common payloads are backdoors). For Buy Zyvox Online without prescription the hacker to successfully control the compromised PC, the backdoor must connect to a server and the hacker can issue commands to your machine.
Prevention
Unless the user is running a HIPS (Host-intrusion prevention system) capable anti-virus software, typical AV softwares will not prevent this. As the infection is not spreading wildly, AV companies will have difficulty developing signatures files. Payloads (backdoors) deployed can be manipulated and morphed, and thus slowing down the development of signature files for them.
The work around for this, as the usual recommendations by Microsoft, is to either update all software regularly, or you can grab a copy of Microsoft Office 2007, which is currently free of flaws. Usually, Microsoft only releases patches on the second Tuesday of every month, together with the time frame needed for the security team and office developers to fix the bug and build the patch, the window for exploitation period will be longer. For the flaw to work, all the conditions have to be met, so the damage of the flaw is not as critical.
The safest way to prevent this is actually user awareness, and updating software regularly. You should open only documents and attachments you were expecting. Human mistakes and carelessness are usually the factors why hackers can successfully succeed.
:) 