1. BAD AND VERY BAD "SPY" NEWS
The "Document Collaboration Spyware" exploit Alex Gantman
posted on Bugtraq on August 26 has hit almost every major
news outlet in the world. Much has happened since the flag
went up. To summarize: I've got some bad news. And I've got
some very bad news.
The bad news: Microsoft hasn't done squat for its
customers. There's a press release that MS posted in
response to Ian Hopper's story for the Associated Press
(good story, by the way). You can see MS's Party Line at
http://www.microsoft.com/technet/sec...cs/secword.asp
. But as far as I know, that's the extent of Microsoft's
missives to its customers. Three and a half weeks later,
and there's no security bulletin, no official warning, no
nothing. The only suggestion Microsoft has come up with -
examine field codes in your document manually - is so lame
I don't know if I should laugh or cry... or scream. Can
*you* look at a field code and know if it will
automatically suck in a sensitive file? How can hundreds of
millions of Office users be expected to tell the difference
between a safe field code and a spy?
We now have a tool to help you identify suspect documents -
you can see below for details but I know you're impatient
so look at
http://www.woodyswatch.com/util/sniff
More bad news: in the past couple of days I've cobbled
together a "spy" document that automatically retrieves the
full file names of all documents which are already open
when the "spy" document gets opened. (You'll recall that
Alex's exploit requires the attacker to know the precise
name and location of the file that's being spied upon.)
The very bad news:
that new file name retrieval "spy"
technique works automatically and silently in all versions
of Word - 97, 2000, or 2002 (the version in Office XP).
Microsoft says "For best security, we recommend that
customers use Word 2002." I don't buy it. Microsoft got
lucky when it changed the way certain fields were updated
in Word 2002 - Alex's original exploit doesn't work
automatically in Word 2002. But they weren't looking at
Word fields from a security point of view when they sent
Office XP out the door, and they missed at least one gaping
hole.
Bookmarks