Security alert -- Microsoft sez: "Do not open or save Word files"

[Trippy]

There's a "zero day" exploit (meaning there's no patch yet to fix it) going around for Microsoft Word at the moment. The Microsoft advisory is here:

http://www.microsoft.com/technet/security/advisory/929433.mspx

and their suggested workaround is:

Do not open or save Word files that you receive from un-trusted sources or that you receive unexpectedly from trusted sources. This vulnerability could be exploited when a user opens a specially crafted Word file.

[Ironwood]

Fucking Hell, are they kidding ?

What kind of 'arbitary code' ? ?

[Margalis]

By now people should learn NEVER, EVER use any piece of MS software to open anything unless you are 100% sure it is safe.

You can open a random movie in windows media player and it will pop up a web page. What the fuck?

Edit: I assume this is an issue similar to the image rendering one before. Some buffer overrun or something that will execute arbitrary code.

[Ironwood]

Normally I'd agree, but WORD DOCUMENTS ?  That's getting into the realms of silly and harsh.  It's like poison in the water.

[Trippy]

Fucking Hell, are they kidding ?

What kind of 'arbitary code' ? ?

"Execute arbitrary code" is the phrase that's used when a program suffers from some sort of buffer overflow problem and allows code to be put into memory as part of the exploit and then executed:

http://en.wikipedia.org/wiki/Buffer_overflow

[HaemishM]

That's what happens when you let macroes get too much power.

[Trippy]

That's what happens when you let macroes get too much power.

It's not a VBA (Visual Basic for Applications) "exploit", otherwise the workaround would be to turn it off.

[Viin]

Well I guess I get to go home early. 90% of my work is from unexpected Word documents.

[HaemishM]

That's what happens when you let macroes get too much power.

It's not a VBA (Visual Basic for Applications) "exploit", otherwise the workaround would be to turn it off.

You ruined my UO joke, fucker.   

[Jayce]

By now people should learn NEVER, EVER use any piece of MS software to open anything unless you are 100% sure it is safe.

You should never use any kind of any software to open anything unless you are sure it is safe.  MS definitely doesn't have a monopoly on insecurity 

"Arbitrary code" just means that the code that can be run is only limited by the imagination of the malware author.  Which I hear is... pretty unlimited.

It doesn't have to be a buffer overflow to do this.  There are other ways, such as writing to the disk.  If you can convince a program to write what you want to a disk, then you can make it write a virus/trojan/backdoor there.

[bhodi]

Arbitrary code execution is like opening pandora's box on your computer, but instead of evil spirits, it's filled with spyware, botnets, keyboard loggers, viruses, trojans, or malware of any and all kinds. It's like playing Russian roulette with a semi-automatic. It's a slick computer term for "You're fucked. Nuke the computer from orbit. It's the only way to be sure". It's got your computer like a facehugger. You are looking at a complete format and reinstall, because there is no product on earth that can can peel off the slimy defiling tentacles from one of these bombs if it hits your computer. Even if you think you've got it, you probably don't. This shit can bury itself so deep in the bowels of your computer that you will NEVER find it all. Metaphors are inadequate to describe a computer hit by something like this. It's a really bad day.

Count yourself lucky if all it does is launch your web browser and feed you popups every hour, or add your computer to the thousands of others in a giant DDoS botnet.  The more nasty ones aren't overt at all, but parasitically forward any interesting bits (read: CC numbers, logins, passwords, CD-keys) to unsavory people. Now that organized crime's discovered the online world's new and interesting revenue streams, and hacker/cracker types have gone from script kiddies in their parent's basement to identity thieving, ransoming professionals, something like this can come back and bite. And it's got really big teeth.

Microsoft said they need more time to study and counter it, so a security update will NOT be in this Tuesday's security update. Sucks to be you.

[Sky]

Shit like this is why I don't run a local computer shop. Nobody seems to understand backups and the fact that if you take your computer into the shop so screwed nothing can be done, it'll be reformatted and you lose all your hobbit pr0n. I used to do a little side work fixing problems on coworker's home computers. I stopped that pretty quick, and these are intelligent folks. Forget some of the dumbasses I used to go out drinking with, their computers still make me break down and cry. "Why won't my crapware-laden p2 400 run Oblivion!?!" Shit, man. It won't even run Word (which might be a good thing with this exploit thing).

And that's the WØrd.

[geldonyetich]

Microsoft Word vulnerabilities are nothing new.  There were probably Word Macro Viruses before Windows 3.1 existed.  I'm not sure if this zero day exploit has anything to do with the macro function, though.

[Trippy]

Microsoft Word vulnerabilities are nothing new.  There were probably Word Macro Viruses before Windows 3.1 existed.  I'm not sure if this zero day exploit has anything to do with the macro function, though.

It doesn't. Didn't you see my reply to HaemishM?

[geldonyetich]

Anywho, the funny thing is the exact same solution was the best MS could come up with.