[mso] Re: Microsoft Word flaw may allow file theft
- From: "Greg Chapman" <greg@xxxxxxxxxxxxx>
- To: <mso@xxxxxxxxxxxxx>
- Date: Fri, 13 Sep 2002 22:52:28 -0500
Well, Woody has been reporting this publicly for a couple weeks now. It is a
pretty serious hole and the problem with it is what the black hats will
develop to take advantage of it, not the flaw itself. The thing that ticks
me most about it, though, is that I (and Dian was there to hear it) told MS
Word engineers that something like this was going to show up and that it
would allow hackers to even steal 'signed' credentials. So when I digitally
sign a Word template for distribution and the safety tag is there that says
"Greggie's signature is on this template, do you trust him?" someone else
can steal that sig and use it to pass unsage code. Suddenly, those keyed
signatures are valueless and we're right back where we started on this Word
macro virus problem.
This passage is not reassuring:
"An additional element of the report suggested a scenario where this issue
could be used to forge a document which has been digitally signed. Microsoft
has evaluated this scenario and found that if this attack vector was
followed, the digital signature on the forged document would be invalidated
and this would be evident from inspecting the digital signature. Even if the
attacker were to somehow manage to find a way to present the user with a
valid digital signature, as discussed above, there would still be a clear
evidence trail that could be followed and handed over to law enforcement
agencies if necessary."
That's from
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/
topics/secword.asp . The reason it's not reassuring, is much more serious
than what the news bunnies are reporting and invalidates the whole idea of
signed macros is the fact that it can be done and that the trail to the
attacker will not be distinct because the key to making the whole thing work
is the same old solution; social engineering. Enticing people to view a
document, accept the changes, ad infinitum is actually the simplest part of
making a viral payload go.
Here's an example from the "I love you" virus. One of the admins I work with
was checking his shared family account from the office one day. He noticed a
piece of mail intended for his wife from one of the family's close female
friends. When he saw the subject (I love you!), his curiosity meter pegged
("Why is this woman suddenly telling my wife she loves her?!?!). As he
clicked on the message, his co-workers heard his loud, too late, cry of "Oh
Sh**!". Yes the finger is faster than the mind, once distracted.<g> He knew
better and he even knew before his finger arose from the mouse that he'd
been had. The damage had already been done, though.
They can play with includetext fields all they want, but I want the built in
security measure to be solid. There's no way this sig should ever be able to
be stolen/forged and, despite warnings from little geeks like me, the ball
has been dropped across all versions of Word, post ver 97.
Greg
----- Original Message -----
From: "Charles R. Buchanan" <crbgfblab@xxxxxxxxxxxxx>
To: "MS Office Mailing List" <mso@xxxxxxxxxxxxx>
Sent: Friday, September 13, 2002 2:12 PM
Subject: [mso] Microsoft Word flaw may allow file theft
>
> I'm not certain this pertains to MS Word within MS Office, if not then
> forgive the off topic post!
>
>
>
>
> http://www.cnn.com/2002/TECH/ptech/09/13/microsoft.word.bug.ap/index.html
> ---
> Look OUT you varmits, This msg is Virus Free!
> Checked by AVG anti-virus system (http://www.grisoft.com).
> Version: 6.0.386 / Virus Database: 218 - Release Date: 9/9/2002
>
>
> *************************************************************
> You are receiving this mail because you subscribed to mso@xxxxxxxxxxxxx or
MicrosoftOffice@xxxxxxxxxxxxxxxx
>
> To send mail to the group, simply address it to mso@xxxxxxxxxxxxx
>
> To Unsubscribe from this group, send an email to
> mso-request@xxxxxxxxxxxxx?Subject=unsubscribe
>
> Or, visit the group's homepage and use the dropdown menu. This will also
allow you to change your email settings to digest or vacation (no mail).
> //www.freelists.org/webpage/mso
>
> To be able to use the files section for sharing files with the group, send
a request to mso-moderators@xxxxxxxxxxxxx and you will be sent an invitation
with instructions. Once you are a member of the files group, you can go
here to upload/download files:
> http://www.smartgroups.com/vault/msofiles
> *************************************************************
>
*************************************************************
You are receiving this mail because you subscribed to mso@xxxxxxxxxxxxx or
MicrosoftOffice@xxxxxxxxxxxxxxxx
To send mail to the group, simply address it to mso@xxxxxxxxxxxxx
To Unsubscribe from this group, send an email to
mso-request@xxxxxxxxxxxxx?Subject=unsubscribe
Or, visit the group's homepage and use the dropdown menu. This will also allow
you to change your email settings to digest or vacation (no mail).
//www.freelists.org/webpage/mso
To be able to use the files section for sharing files with the group, send a
request to mso-moderators@xxxxxxxxxxxxx and you will be sent an invitation with
instructions. Once you are a member of the files group, you can go here to
upload/download files:
http://www.smartgroups.com/vault/msofiles
*************************************************************
Other related posts:
