
Microsoft: 0Day Exploit Targeting Word, Outlook - ca98am79
http://krebsonsecurity.com/2014/03/microsoft-warns-of-word-2010-exploit/
======
Sniffnoy
I'm confused by the idea that there could be a vulnerability while reading
RTFs, of all things. Annoying; I frequently send out documents in RTF format
to make sure everyone can read them...

~~~
ne0codex
I stick with .pdf files

However, that might be bad practice.

~~~
mpyne
With Adobe Reader it's probably even worse, to be honest.

~~~
rplnt
For the past few years I've been using Chrome as a PDF reader (I don't use it
as my primary browser, but have it nonetheless). I'm not saying Chrome can't
be vulnerable... it's just good to get rid of such pointless software as PDF
reader. Especially if the case is the bloated Acrobat Reader (though I think
the UX was great with that one).

------
justincormack
"One way to harden your email client is to render emails in plain text"

er yes.

~~~
dsl
This is one of the biggest false assumptions that I see smart people making.
Unless you have verified the implementation under the hood, you have no
knowledge that the parser and renderer are not being executed on a rich text
part regardless of what is displayed on the screen.

~~~
bananas
Unless it's multi-part MIME which is usually the encapsulation mode for RTF
based email. In that case, there's usually a plain text copy attached to the
body as well which doesn't need to be read by the parser or any of the rich
text stuff.

Confirmed:

    
    
       Content-Type: multipart/alternative;
    	boundary="_000_1B81DC42240AEE4B96F487A2683E7EEB0A6AE7505BTHHS2E12BE2Xh_"
       MIME-Version: 1.0
       --_000_1B81DC42240AEE4B96F487A2683E7EEB0A6AE7505BTHHS2E12BE2Xh_
       Content-Type: text/plain; charset="Windows-1252"
       Content-Transfer-Encoding: quoted-printable
    
       RTF test
    

From outlook 2013 in RTF mode...

And I use mutt for my personal email...

~~~
dsl
...and if the vulnerability is in the MIME parser itself?

~~~
bananas
It wouldn't be if the mitigation was to stop viewing RTF as it says on
technet...

------
mpyne
Well there goes half of .gov and .mil... (at least the agencies not forcing
plain text email)

~~~
yuhong
Fortunately, I think the current exploits rely on ActiveX controls which are
disabled when reading Outlook RTF messages. In fact, I have seen no real world
Word exploits using Outlook RTF messages, probably because spear phishing is
effective enough.

~~~
firebones
The advisory says that Office for Mac 2011 is also affected, implying that
it's not related to ActiveX controls.

~~~
yuhong
The bug is not related to ActiveX controls, but current exploits for this bug
rely on one of them.

------
dijit
Everyone in my office runs MS Office for inane reasons, I did try to make them
move to openoffice/libreoffice w/ thunderbird, we run an open stack behind the
scenes and things simply integrate better..

I feel like this is a massive 'told ya so' after spending thousands of pounds
of company money on licenses, now I'll have to spend hours of my time fixing
everyones machine one by one, just in case. >_<

hopefully a fix comes in soon and I don't have to worry too much, I assume it
will but getting everyone to update (well, forcing it) is a bit hard too.

~~~
golergka
As someone who used Word, and especially Excel (for data analysis) pretty
intensively — if I couldn't use these tools for work, I'd probably think very
hard about finding another job. Excel is miles ahead not only of any competing
software, even it's OSX version is very subpar to the Windows one: I used
parallels just to run it on my Mac. The usability difference is so big, it's
like comparing working with and without version control in terms of
productivity.

~~~
the_ancient
Chances are you are the type of person I complain about every day. Using Excel
for things it should not be used for....

There are true data analysis tools on the market, Excel is not one of them

~~~
golergka
I didn't say that it was the _only_ tool I used. I also regularly used R and
SQL.

However, it is the best tool for fast mockups and visualization.

------
mysteriousllama
I do wish they would tell us if EMET[1] is an effective mitigation for this
vulnerability or not. Considering it involves memory corruption it's likely..
But finding out the hard way would be no fun.

[1]
[http://support.microsoft.com/kb/2458544](http://support.microsoft.com/kb/2458544)

~~~
pedro84
"First, our tests showed that EMET default configuration can block the
exploits seen in the wild."

[http://blogs.technet.com/b/srd/archive/2014/03/24/security-a...](http://blogs.technet.com/b/srd/archive/2014/03/24/security-
advisory-2953095-recommendation-to-stay-protected-and-for-detections.aspx)

------
NKCSS
Funny that the C&C's IP (185.12.44.51) reveals that the machine was used to
confirm bitcoin transactions... Pretty sure it will try to rob you ;)

