[mso] Re: Microsoft Word flaw may allow file theft
- From: "Dian Chapman" <dian@xxxxxxxxxxxxx>
- To: <mso@xxxxxxxxxxxxx>
- Date: Sat, 14 Sep 2002 00:53:49 -0500
OK...so we can all clearly see that Greg is extremely concerned about
security issues...and well he should be, he'd constantly fighting them
with network issues and spends days and sometimes nights fixing servers
that need to be updated due to security issues.
And yes, he DID stand there and tell top MS VP that security needs to be
# 1 and that he's sick and tired of having to deal with all the hole in
MS systems...and they need to get down to reengineering some of the root
issues! (Hey...see pics http://www.mousetrax.com/01summit.html)
But the digital signature is not just a problem here...that's why it's
not used, legally, yet...because none of the technology is yet secure
and there are just too many outstanding issues of theft related to
digital signatures on legal documents. You can find tons of arguments
all over the web regarding the pros and cons...and ideas of how to solve
these issues.
Sorry Greg...I know this is all a sore spot, but regarding this
particularly issue...it's been a known fact for years and I personally
consider it more of an issue such as Master Docs. It SHOULD work as
expected, but doesn't...never has. So it's not like some big mystery
that Woody has just uncovered...since he and many of use have know about
it before...this "bug" with IncludeText has been a sidelines issue for
years!
Dian Chapman
Technical Consultant, Instructor,
Microsoft MVP & TechTrax Editor
Word AutoForm/VBA eBook: http://www.mousetrax.com/books.html
Tutorial web site: http://www.mousetrax.com/techpage.html
TechTrax Ezine: http://www.mousetrax.com/techtrax/
-----Original Message-----
From: mso-bounce@xxxxxxxxxxxxx [mailto:mso-bounce@xxxxxxxxxxxxx] On
Behalf Of Greg Chapman
Sent: Friday, September 13, 2002 10:52 PM
To: mso@xxxxxxxxxxxxx
Subject: [mso] Re: Microsoft Word flaw may allow file theft
Well, Woody has been reporting this publicly for a couple weeks now. It
is a pretty serious hole and the problem with it is what the black hats
will develop to take advantage of it, not the flaw itself. The thing
that ticks me most about it, though, is that I (and Dian was there to
hear it) told MS Word engineers that something like this was going to
show up and that it would allow hackers to even steal 'signed'
credentials. So when I digitally sign a Word template for distribution
and the safety tag is there that says "Greggie's signature is on this
template, do you trust him?" someone else can steal that sig and use it
to pass unsage code. Suddenly, those keyed signatures are valueless and
we're right back where we started on this Word macro virus problem.
This passage is not reassuring:
"An additional element of the report suggested a scenario where this
issue could be used to forge a document which has been digitally signed.
Microsoft has evaluated this scenario and found that if this attack
vector was followed, the digital signature on the forged document would
be invalidated and this would be evident from inspecting the digital
signature. Even if the attacker were to somehow manage to find a way to
present the user with a valid digital signature, as discussed above,
there would still be a clear evidence trail that could be followed and
handed over to law enforcement agencies if necessary."
That's from
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/secur
ity/
topics/secword.asp . The reason it's not reassuring, is much more
serious than what the news bunnies are reporting and invalidates the
whole idea of signed macros is the fact that it can be done and that the
trail to the attacker will not be distinct because the key to making the
whole thing work is the same old solution; social engineering. Enticing
people to view a document, accept the changes, ad infinitum is actually
the simplest part of making a viral payload go.
Here's an example from the "I love you" virus. One of the admins I work
with was checking his shared family account from the office one day. He
noticed a piece of mail intended for his wife from one of the family's
close female friends. When he saw the subject (I love you!), his
curiosity meter pegged ("Why is this woman suddenly telling my wife she
loves her?!?!). As he clicked on the message, his co-workers heard his
loud, too late, cry of "Oh Sh**!". Yes the finger is faster than the
mind, once distracted.<g> He knew better and he even knew before his
finger arose from the mouse that he'd been had. The damage had already
been done, though.
They can play with includetext fields all they want, but I want the
built in security measure to be solid. There's no way this sig should
ever be able to be stolen/forged and, despite warnings from little geeks
like me, the ball has been dropped across all versions of Word, post ver
97.
Greg
----- Original Message -----
From: "Charles R. Buchanan" <crbgfblab@xxxxxxxxxxxxx>
To: "MS Office Mailing List" <mso@xxxxxxxxxxxxx>
Sent: Friday, September 13, 2002 2:12 PM
Subject: [mso] Microsoft Word flaw may allow file theft
>
> I'm not certain this pertains to MS Word within MS Office, if not then
> forgive the off topic post!
>
>
>
>
> http://www.cnn.com/2002/TECH/ptech/09/13/microsoft.word.bug.ap/index.h
> tml
> ---
> Look OUT you varmits, This msg is Virus Free!
> Checked by AVG anti-virus system (http://www.grisoft.com).
> Version: 6.0.386 / Virus Database: 218 - Release Date: 9/9/2002
>
>
> *************************************************************
> You are receiving this mail because you subscribed to
> mso@xxxxxxxxxxxxx or
MicrosoftOffice@xxxxxxxxxxxxxxxx
>
> To send mail to the group, simply address it to mso@xxxxxxxxxxxxx
>
> To Unsubscribe from this group, send an email to
> mso-request@xxxxxxxxxxxxx?Subject=unsubscribe
>
> Or, visit the group's homepage and use the dropdown menu. This will
> also
allow you to change your email settings to digest or vacation (no mail).
> //www.freelists.org/webpage/mso
>
> To be able to use the files section for sharing files with the group,
> send
a request to mso-moderators@xxxxxxxxxxxxx and you will be sent an
invitation with instructions. Once you are a member of the files group,
you can go here to upload/download files:
> http://www.smartgroups.com/vault/msofiles
> *************************************************************
>
*************************************************************
You are receiving this mail because you subscribed to mso@xxxxxxxxxxxxx
or MicrosoftOffice@xxxxxxxxxxxxxxxx
To send mail to the group, simply address it to mso@xxxxxxxxxxxxx
To Unsubscribe from this group, send an email to
mso-request@xxxxxxxxxxxxx?Subject=unsubscribe
Or, visit the group's homepage and use the dropdown menu. This will
also allow you to change your email settings to digest or vacation (no
mail). //www.freelists.org/webpage/mso
To be able to use the files section for sharing files with the group,
send a request to mso-moderators@xxxxxxxxxxxxx and you will be sent an
invitation with instructions. Once you are a member of the files group,
you can go here to upload/download files:
http://www.smartgroups.com/vault/msofiles
*************************************************************
*************************************************************
You are receiving this mail because you subscribed to mso@xxxxxxxxxxxxx or
MicrosoftOffice@xxxxxxxxxxxxxxxx
To send mail to the group, simply address it to mso@xxxxxxxxxxxxx
To Unsubscribe from this group, send an email to
mso-request@xxxxxxxxxxxxx?Subject=unsubscribe
Or, visit the group's homepage and use the dropdown menu. This will also allow
you to change your email settings to digest or vacation (no mail).
//www.freelists.org/webpage/mso
To be able to use the files section for sharing files with the group, send a
request to mso-moderators@xxxxxxxxxxxxx and you will be sent an invitation with
instructions. Once you are a member of the files group, you can go here to
upload/download files:
http://www.smartgroups.com/vault/msofiles
*************************************************************
Other related posts:
